Compilation results for gitlab1004.wikimedia.org: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	3412
Resources added:	58
Resources removed:	0
Resources modified:	58
Change percentage:	3.40%

Resources only in the new catalog

Rsyslog::Conf[envoy]
Class[Profile::Envoy]
File[/etc/envoy/admin-config.yaml]
Logrotate::Conf[envoy]
Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
Envoyproxy::Listener[tls_terminator_8443]
Systemd::Service[envoyproxy.service]
Systemd::Unit[envoyproxy.service]
Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]
File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
Class[Profile::Tlsproxy::Envoy]
File[/etc/envoy/runtime.yaml]
File[/etc/logrotate.d/envoy]
File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]
Systemd::Syslog[envoy]
Sysctl::Parameters[TCP Fast Open]
File[/usr/local/sbin/envoyproxy-start]
Service[envoyproxy.service]
File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]
File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]
Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]
Envoyproxy::Cluster[cluster_local_port_443]
Class[Sslcert::Ca_deselect_dstx3]
Envoyproxy::Conf[tls_terminator_8443]
File_line[deselect_dst_root_ca_x3]
File[/etc/systemd/system/envoyproxy.service.d]
Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]
File[/etc/envoy/envoy.yaml]
File[/var/log/envoy]
Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]
Nftables::Service[envoy_tls_termination_src_sets]
Exec[verify-envoy-config]
Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]
File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]
Envoyproxy::Tls_terminator[8443]
Sysctl::Conffile[TCP Fast Open]
File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]
Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]
Class[Envoyproxy]
File[/etc/envoy/listeners.d]
Envoyproxy::Conf[cluster_local_port_443]
File[/etc/sysctl.d/70-TCP-Fast-Open.conf]
File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]
File[/etc/envoy]
File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
File[/etc/envoy/stats-config.yaml]
Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
File[/etc/envoy/clusters.d]
File[/usr/local/sbin/build-envoy-config]
File[/usr/local/sbin/envoyproxy-hot-restarter]
Package[envoyproxy]
Firewall::Service[envoy_tls_termination_src_sets]
File[/etc/envoy/ssl]
File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]
File[/etc/rsyslog.d/40-envoy.conf]
File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]
File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]
Class[Profile::Tcp_fast_open]

Resources modified

Envoyproxy::Conf[tls_terminator_8443]

Parameters differences:

--- Envoyproxy::Conf[tls_terminator_8443].orig
+++ Envoyproxy::Conf[tls_terminator_8443]

+    priority  => 0
+    conf_type => listener

File[/etc/envoy/envoy.yaml]

Parameters differences:

--- File[/etc/envoy/envoy.yaml].orig
+++ File[/etc/envoy/envoy.yaml]

+    group  => root
+    ensure => present
+    mode   => 0644
+    owner  => root

File[/etc/envoy/ssl]

Parameters differences:

--- File[/etc/envoy/ssl].orig
+++ File[/etc/envoy/ssl]

+    mode    => 0740
+    recurse => True
+    group   => envoy
+    ensure  => directory
+    owner   => envoy

Firewall::Service[envoy_tls_termination_src_sets]

Parameters differences:

--- Firewall::Service[envoy_tls_termination_src_sets].orig
+++ Firewall::Service[envoy_tls_termination_src_sets]

+    notrack             => True
+    desc                => 
+    port                => 8443
+    ensure              => present
+    proto               => tcp
+    unrestricted_access => False
+    prio                => 10
+    src_sets            => ['CACHES', 'BASTION_HOSTS']

File[/var/log/envoy]

Parameters differences:

--- File[/var/log/envoy].orig
+++ File[/var/log/envoy]

+    mode   => 0755
+    backup => False
+    force  => True
+    owner  => envoy
+    group  => envoy
+    ensure => directory

File[/etc/envoy]

Parameters differences:

--- File[/etc/envoy].orig
+++ File[/etc/envoy]

+    group  => root
+    ensure => directory
+    mode   => 0755
+    owner  => root

File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]

+    require => Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
+    group   => envoy
+    ensure  => file
+    owner   => envoy

Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]

Parameters differences:

--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh].orig
+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server

+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']
+    subscribe   => File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]

Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem].orig
+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]

+    require   => Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]
+    command   => /bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem > /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem
+    unless    => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem | sha512sum)"

+    subscribe => ['Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]', 'File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]']

File[/etc/envoy/admin-config.yaml]

Parameters differences:

--- File[/etc/envoy/admin-config.yaml].orig
+++ File[/etc/envoy/admin-config.yaml]

+    mode   => 0555
+    owner  => root
+    group  => root
+    ensure => present
+    notify => Exec[verify-envoy-config]

Content differences:

--- /etc/envoy/admin-config.yaml.orig
+++ /etc/envoy/admin-config.yaml
@@ -0,0 +1,10 @@
+---
+access_log:
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+    path: "/var/log/envoy/admin-access.log"
+address:
+  socket_address:
+    address: 0.0.0.0
+    port_value: 9631
+ignore_global_conn_limit: true

Sysctl::Parameters[TCP Fast Open]

Parameters differences:

--- Sysctl::Parameters[TCP Fast Open].orig
+++ Sysctl::Parameters[TCP Fast Open]

+    priority           => 70
+    no_priority_prefix => False
+    ensure             => present
+    values             => {'net.ipv4.tcp_fastopen': 3}

Class[Adduser]

Parameters differences:

--- Class[Adduser].orig
+++ Class[Adduser]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']

Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]

Parameters differences:

--- Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)].orig
+++ Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]

+    command     => /bin/systemctl daemon-reload
+    refreshonly => True
+    before      => ['Service[envoyproxy.service]']

File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]

Parameters differences:

--- File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml].orig
+++ File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]

+    mode   => 0444
+    owner  => root
+    group  => root
+    ensure => present
+    notify => Exec[verify-envoy-config]

Content differences:

--- /etc/envoy/clusters.d/00-cluster_local_port_443.yaml.orig
+++ /etc/envoy/clusters.d/00-cluster_local_port_443.yaml
@@ -0,0 +1,28 @@
+name: local_port_443
+connect_timeout: 1.0s
+typed_extension_protocol_options:
+  envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+    "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+    common_http_protocol_options:
+      idle_timeout: 100.0s
+      max_requests_per_connection: 1
+    use_downstream_protocol_config: {}
+type: strict_dns
+lb_policy: round_robin
+load_assignment:
+  cluster_name: local_port_443
+  endpoints:
+  - lb_endpoints:
+    - endpoint:
+        address:
+          socket_address:
+            address: gitlab1004.wikimedia.org
+            port_value: 443
+transport_socket:
+  name: envoy.transport_sockets.tls
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+    common_tls_context:
+      validation_context:
+        trusted_ca:
+          filename: /etc/ssl/certs/ca-certificates.crt

File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]

Parameters differences:

--- File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf].orig
+++ File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]

+    mode   => 0444
+    owner  => root
+    group  => root
+    ensure => present
+    notify => Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]

Content differences:

--- /etc/systemd/system/envoyproxy.service.d/puppet-override.conf.orig
+++ /etc/systemd/system/envoyproxy.service.d/puppet-override.conf
@@ -0,0 +1,26 @@
+[Service]
+# TODO: support hot restarts, see for instance https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter
+# Ensure envoy can handle enough file descriptors
+LimitNOFILE=65536
+# Allow envoy to bind on a privileged port
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+ExecStart=
+# We use the hot-restarter script to start envoy. Please note that "restart"
+# in systemd terms is stop + start, so it will not hot-restart envoy.
+# We will have to use "reload" to obtain the desired result -
+# and have puppet run 'systemctl reload envoyproxy.service' instead.
+Environment="ENVOY_CONFIG=/etc/envoy/envoy.yaml"
+Environment="SERVICE_ZONE=eqiad"
+Environment="SERVICE_CLUSTER=misc"
+Environment="SERVICE_NODE=gitlab1004.wikimedia.org"
+ExecStart=/usr/local/sbin/envoyproxy-hot-restarter /usr/local/sbin/envoyproxy-start 
+ExecReload=
+ExecReload=/bin/kill -s HUP $MAINPID
+
+# Security settings
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ReadWritePaths=/var/log/envoy/

File[/usr/local/sbin/envoyproxy-hot-restarter]

Parameters differences:

--- File[/usr/local/sbin/envoyproxy-hot-restarter].orig
+++ File[/usr/local/sbin/envoyproxy-hot-restarter]

+    source => puppet:///modules/envoyproxy/hot_restarter/hot-restarter.py
+    mode   => 0555
+    owner  => root
+    group  => root
+    ensure => present

Service[envoyproxy.service]

Parameters differences:

--- Service[envoyproxy.service].orig
+++ Service[envoyproxy.service]

+    ensure  => running
+    restart => /bin/systemctl reload envoyproxy.service
+    enable  => True

Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]

Parameters differences:

--- Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server].orig
+++ Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]

+    notify_services => []
+    ensure          => present
+    key             => {'algo': 'ecdsa', 'size': 256}
+    mode            => 0740
+    names           => []
+    before          => Exec[verify-envoy-config]
+    require         => Package[envoyproxy]
+    renew_seconds   => 952200
+    owner           => envoy
+    outdir          => /etc/envoy/ssl
+    auto_renew      => True
+    profile         => server
+    common_name     => gitlab.wikimedia.org
+    provide_chain   => True
+    label           => discovery2026
+    hosts           => ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']
+    environment     => ['GODEBUG=x509ignoreCN=0']
+    before_services => []
+    group           => envoy
+    notify          => Service[envoyproxy.service]

File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]

+    source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem
+    mode   => 0440
+    owner  => envoy
+    group  => envoy
+    ensure => file

File[/etc/envoy/runtime.yaml]

Parameters differences:

--- File[/etc/envoy/runtime.yaml].orig
+++ File[/etc/envoy/runtime.yaml]

+    mode   => 0555
+    owner  => root
+    group  => root
+    ensure => absent
+    notify => Exec[verify-envoy-config]

Content differences:

--- /etc/envoy/runtime.yaml.orig
+++ /etc/envoy/runtime.yaml
@@ -0,0 +1 @@
+--- {}

File[/etc/systemd/system/envoyproxy.service.d]

Parameters differences:

--- File[/etc/systemd/system/envoyproxy.service.d].orig
+++ File[/etc/systemd/system/envoyproxy.service.d]

+    group  => root
+    ensure => directory
+    mode   => 0555
+    owner  => root

Rsyslog::Conf[envoy]

Parameters differences:

--- Rsyslog::Conf[envoy].orig
+++ Rsyslog::Conf[envoy]

+    priority => 40
+    mode     => 0444
+    ensure   => present
+    require  => File[/var/log/envoy]

File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]

Parameters differences:

--- File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml].orig
+++ File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]

+    mode   => 0444
+    owner  => root
+    group  => root
+    ensure => present
+    notify => Exec[verify-envoy-config]

Content differences:

--- /etc/envoy/listeners.d/00-tls_terminator_8443.yaml.orig
+++ /etc/envoy/listeners.d/00-tls_terminator_8443.yaml
@@ -0,0 +1,57 @@
+address:
+    socket_address:
+        port_value: 8443
+        address: 0.0.0.0
+per_connection_buffer_limit_bytes: 268435456
+listener_filters:
+- name: "envoy.filters.listener.tls_inspector"
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+tcp_fast_open_queue_length: 150
+filter_chains:
+# Non-SNI support
+- transport_socket:
+    name: envoy.transport_sockets.tls
+    typed_config:
+      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+      common_tls_context:
+        tls_certificates:
+        - certificate_chain: { filename: "/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem" }
+          private_key: { filename: "/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem" }
+  filters:
+  - name: envoy.http_connection_manager
+    typed_config:
+      "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+      stat_prefix: ingress_http
+      common_http_protocol_options:
+        idle_timeout: 125.0s
+      stream_idle_timeout: 1800.0s
+      route_config:
+        virtual_hosts:
+        - name: non_sni_port_443
+          domains: ["*"]
+          routes:
+          - match: { prefix: "/" }
+            route:
+              cluster: local_port_443
+              timeout: 0.0s
+              idle_timeout: 900.0s
+              retry_policy:
+                num_retries: 1
+                retry_on: "5xx"
+      http_filters:
+      - name: envoy.filters.http.router
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      http_protocol_options:
+        accept_http_10: true
+      server_header_transformation: APPEND_IF_ABSENT
+      internal_address_config:
+        unix_sockets: true
+        cidr_ranges:
+        - address_prefix: 10.0.0.0
+          prefix_len: 8
+        - address_prefix: 127.0.0.1
+          prefix_len: 32
+        - address_prefix: ::1
+          prefix_len: 128

Envoyproxy::Tls_terminator[8443]

Parameters differences:

--- Envoyproxy::Tls_terminator[8443].orig
+++ Envoyproxy::Tls_terminator[8443]

+    global_key_path           => /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem
+    request_headers_to_add    => {}
+    global_cert_path          => /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem
+    downstream_idle_timeout   => 125.0
+    response_headers_to_add   => {}
+    websockets                => False
+    upstreams                 => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 443, 'upstream_addr': 'gitlab1004.wikimedia.org', 'upstream_tls': True}]
+    upstream_idle_timeout     => 900.0
+    connect_timeout           => 1.0
+    header_key_format         => none
+    retry_policy              => {'num_retries': 1, 'retry_on': '5xx'}
+    use_remote_address        => False
+    has_error_page            => False
+    listen_ipv6               => False
+    local_otel_reporting_pct  => 0.0
+    rate_limit_enabled        => False
+    max_requests_per_conn     => 1
+    fast_open_queue           => 150
+    connection_buffer_limit   => 268435456
+    stream_idle_timeout       => 1800.0
+    upstream_response_timeout => 0.0
+    access_log                => False
+    idle_timeout              => 100.0

File[/etc/envoy/stats-config.yaml]

Parameters differences:

--- File[/etc/envoy/stats-config.yaml].orig
+++ File[/etc/envoy/stats-config.yaml]

+    source => puppet:///modules/envoyproxy/stats-config.yaml
+    mode   => 0555
+    owner  => root
+    group  => root
+    ensure => present
+    notify => Exec[verify-envoy-config]

Nftables::Service[envoy_tls_termination_src_sets]

Parameters differences:

--- Nftables::Service[envoy_tls_termination_src_sets].orig
+++ Nftables::Service[envoy_tls_termination_src_sets]

+    notrack             => True
+    desc                => 
+    port                => 8443
+    ensure              => present
+    proto               => tcp
+    unrestricted_access => False
+    prio                => 10
+    src_sets            => ['CACHES', 'BASTION_HOSTS']

Sysctl::Conffile[TCP Fast Open]

Parameters differences:

--- Sysctl::Conffile[TCP Fast Open].orig
+++ Sysctl::Conffile[TCP Fast Open]

+    priority           => 70
+    no_priority_prefix => False
+    ensure             => present

Class[Envoyproxy]

Parameters differences:

--- Class[Envoyproxy].orig
+++ Class[Envoyproxy]

+    admin_port      => 9631
+    pkg_name        => envoyproxy
+    service_cluster => misc
+    runtime         => {}
+    ensure          => present
+    use_override    => True

Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]

+    names       => []
+    hosts       => ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']
+    common_name => gitlab.wikimedia.org
+    ensure      => present
+    key         => {'algo': 'ecdsa', 'size': 256}

File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]

+    group  => envoy
+    ensure => file
+    mode   => 0440
+    owner  => envoy

Class[Profile::Envoy]

Parameters differences:

--- Class[Profile::Envoy].orig
+++ Class[Profile::Envoy]

+    require => ['Class[Profile::Tcp_fast_open]']
+    runtime => {}
+    ensure  => present
+    cluster => misc

File[/usr/local/sbin/build-envoy-config]

Parameters differences:

--- File[/usr/local/sbin/build-envoy-config].orig
+++ File[/usr/local/sbin/build-envoy-config]

+    source => puppet:///modules/envoyproxy/build_envoy_config.py
+    mode   => 0555
+    owner  => root
+    group  => root
+    ensure => present

Systemd::Syslog[envoy]

Parameters differences:

--- Systemd::Syslog[envoy].orig
+++ Systemd::Syslog[envoy]

+    force_stop             => True
+    log_filename           => syslog.log
+    ensure                 => present
+    base_dir               => /var/log
+    readable_by            => group
+    require                => Package[envoyproxy]
+    owner                  => envoy
+    group                  => envoy
+    programname_comparison => startswith

File[/etc/envoy/clusters.d]

Parameters differences:

--- File[/etc/envoy/clusters.d].orig
+++ File[/etc/envoy/clusters.d]

+    mode    => 0755
+    recurse => True
+    group   => root
+    ensure  => directory
+    purge   => True
+    owner   => root

Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]

Parameters differences:

--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server].orig
+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem 2>&1)"

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]

Envoyproxy::Listener[tls_terminator_8443]

Parameters differences:

--- Envoyproxy::Listener[tls_terminator_8443].orig
+++ Envoyproxy::Listener[tls_terminator_8443]

+    priority => 0

File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]

Parameters differences:

--- File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr].orig
+++ File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]

+    group  => root
+    ensure => file
+    mode   => 0400
+    owner  => root

Content differences:

--- /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr.orig
+++ /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr
@@ -0,0 +1,19 @@
+{
+  "CN": "gitlab.wikimedia.org",
+  "hosts": [
+    "gitlab.wikimedia.org",
+    "gitlab-replica-a.wikimedia.org",
+    "gitlab-replica-b.wikimedia.org",
+    "gitlab.discovery.wmnet",
+    "gitlab-replica-a.discovery.wmnet",
+    "gitlab-replica-b.discovery.wmnet",
+    "gitlab1004.wikimedia.org"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

Envoyproxy::Cluster[cluster_local_port_443]

Parameters differences:

--- Envoyproxy::Cluster[cluster_local_port_443].orig
+++ Envoyproxy::Cluster[cluster_local_port_443]

+    priority => 0

File_line[deselect_dst_root_ca_x3]

Parameters differences:

--- File_line[deselect_dst_root_ca_x3].orig
+++ File_line[deselect_dst_root_ca_x3]

+    line               => !mozilla/DST_Root_CA_X3.crt
+    append_on_no_match => False
+    require            => Package[ca-certificates]
+    match              => ^!?mozilla/DST_Root_CA_X3\.crt$
+    path               => /etc/ca-certificates.conf
+    notify             => Exec[update-ca-certificates]

File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]

Parameters differences:

--- File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft].orig
+++ File[/etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft]

+    mode    => 0444
+    require => ['Nftables::Set[CACHES]', 'Nftables::Set[BASTION_HOSTS]']
+    tag     => nft
+    group   => root
+    ensure  => present
+    notify  => ['Service[nftables]']
+    owner   => root

Content differences:

--- /etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft.orig
+++ /etc/nftables/notrack/10_envoy_tls_termination_src_sets.nft
@@ -0,0 +1,6 @@
+# Managed by puppet
+# 
+ip saddr @BASTION_HOSTS_ipv4 tcp dport { 8443 } notrack
+ip saddr @CACHES_ipv4 tcp dport { 8443 } notrack
+ip6 saddr @BASTION_HOSTS_ipv6 tcp dport { 8443 } notrack
+ip6 saddr @CACHES_ipv6 tcp dport { 8443 } notrack

Envoyproxy::Conf[cluster_local_port_443]

Parameters differences:

--- Envoyproxy::Conf[cluster_local_port_443].orig
+++ Envoyproxy::Conf[cluster_local_port_443]

+    priority  => 0
+    conf_type => cluster

File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]

Parameters differences:

--- File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft].orig
+++ File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]

+    mode    => 0444
+    require => ['Nftables::Set[CACHES]', 'Nftables::Set[BASTION_HOSTS]']
+    tag     => nft
+    group   => root
+    ensure  => present
+    notify  => ['Service[nftables]']
+    owner   => root

Content differences:

--- /etc/nftables/input/10_envoy_tls_termination_src_sets.nft.orig
+++ /etc/nftables/input/10_envoy_tls_termination_src_sets.nft
@@ -0,0 +1,6 @@
+# Managed by puppet
+# 
+ip saddr @BASTION_HOSTS_ipv4 tcp dport { 8443 } accept
+ip saddr @CACHES_ipv4 tcp dport { 8443 } accept
+ip6 saddr @BASTION_HOSTS_ipv6 tcp dport { 8443 } accept
+ip6 saddr @CACHES_ipv6 tcp dport { 8443 } accept

File[/etc/sysctl.d/70-TCP-Fast-Open.conf]

Parameters differences:

--- File[/etc/sysctl.d/70-TCP-Fast-Open.conf].orig
+++ File[/etc/sysctl.d/70-TCP-Fast-Open.conf]

+    group  => root
+    ensure => present
+    notify => Exec[update_sysctl]
+    owner  => root

Content differences:

--- /etc/sysctl.d/70-TCP-Fast-Open.conf.orig
+++ /etc/sysctl.d/70-TCP-Fast-Open.conf
@@ -0,0 +1,2 @@
+# sysctl parameters managed by Puppet.
+net.ipv4.tcp_fastopen = 3

Exec[verify-envoy-config]

Parameters differences:

--- Exec[verify-envoy-config].orig
+++ Exec[verify-envoy-config]

+    command     => /usr/local/sbin/build-envoy-config -c '/etc/envoy'
+    user        => root
+    require     => Package[envoyproxy]
+    refreshonly => True
+    notify      => Systemd::Service[envoyproxy.service]

File[/etc/envoy/listeners.d]

Parameters differences:

--- File[/etc/envoy/listeners.d].orig
+++ File[/etc/envoy/listeners.d]

+    mode    => 0755
+    recurse => True
+    group   => root
+    ensure  => directory
+    purge   => True
+    owner   => root

Package[envoyproxy]

Parameters differences:

--- Package[envoyproxy].orig
+++ Package[envoyproxy]

+    ensure   => present
+    provider => apt

Class[Profile::Apt]

Parameters differences:

--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']

File[/usr/local/sbin/envoyproxy-start]

Parameters differences:

--- File[/usr/local/sbin/envoyproxy-start].orig
+++ File[/usr/local/sbin/envoyproxy-start]

+    source => puppet:///modules/envoyproxy/hot_restarter/start-envoy.sh
+    mode   => 0555
+    owner  => root
+    group  => root
+    ensure => present

Class[Profile::Tlsproxy::Envoy]

Parameters differences:

--- Class[Profile::Tlsproxy::Envoy].orig
+++ Class[Profile::Tlsproxy::Envoy]

+    error_page                => False
+    retries                   => True
+    request_headers_to_add    => {}
+    tls_port                  => 8443
+    upstream_tls              => True
+    downstream_idle_timeout   => 125.0
+    firewall_global           => False
+    websockets                => False
+    ssl_provider              => cfssl
+    services                  => [{'server_names': ['*'], 'port': 443}]
+    upstream_idle_timeout     => 900.0
+    require                   => ['Class[Profile::Envoy]']
+    cfssl_label               => discovery2026
+    header_key_format         => none
+    use_remote_address        => False
+    max_requests              => 1
+    global_cert_name          => gitlab.wikimedia.org
+    listen_ipv6               => False
+    local_otel_reporting_pct  => 0.0
+    rate_limit_enabled        => False
+    fast_open_queue           => 150
+    firewall_src_sets         => ['CACHES', 'BASTION_HOSTS']
+    access_log                => False
+    cfssl_options             => {'hosts': ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']}
+    connection_buffer_limit   => 268435456
+    stream_idle_timeout       => 1800.0
+    upstream_response_timeout => 0.0
+    sni_support               => no
+    upstream_addr             => gitlab1004.wikimedia.org
+    idle_timeout              => 100.0

Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]

Parameters differences:

--- Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server].orig
+++ Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]

+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server

+    unless      => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem -checkend 952200
+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]

File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]

+    group  => envoy
+    ensure => file
+    mode   => 0440
+    owner  => envoy

Systemd::Service[envoyproxy.service]

Parameters differences:

--- Systemd::Service[envoyproxy.service].orig
+++ Systemd::Service[envoyproxy.service]

+    service_params           => {'restart': '/bin/systemctl reload envoyproxy.service'}
+    restart                  => False
+    migration_task           => T407130
+    override                 => True
+    ensure                   => present
+    monitoring_critical      => False
+    monitoring_contact_group => admins
+    monitoring_enabled       => False
+    unit_type                => service

Systemd::Unit[envoyproxy.service]

Parameters differences:

--- Systemd::Unit[envoyproxy.service].orig
+++ Systemd::Unit[envoyproxy.service]

+    require           => ['Class[Systemd]']
+    override_filename => puppet-override.conf
+    restart           => False
+    unit              => envoyproxy.service
+    override          => True
+    ensure            => present

Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]

Parameters differences:

--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change].orig
+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server

+    environment => ['GODEBUG=x509ignoreCN=0']
+    require     => Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
+    refreshonly => True
+    subscribe   => File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]

File[/etc/rsyslog.d/40-envoy.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-envoy.conf].orig
+++ File[/etc/rsyslog.d/40-envoy.conf]

+    mode   => 0444
+    owner  => root
+    group  => root
+    ensure => present
+    notify => Service[rsyslog]

Content differences:

--- /etc/rsyslog.d/40-envoy.conf.orig
+++ /etc/rsyslog.d/40-envoy.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "envoy" then {
+    action(
+        type="omfile" file="/var/log/envoy/syslog.log"
+        fileOwner="envoy" fileGroup="envoy"
+        fileCreateMode="0640"
+    )
+    & stop
+}

Logrotate::Conf[envoy]

Parameters differences:

--- Logrotate::Conf[envoy].orig
+++ Logrotate::Conf[envoy]

+    ensure => present

File[/etc/logrotate.d/envoy]

Parameters differences:

--- File[/etc/logrotate.d/envoy].orig
+++ File[/etc/logrotate.d/envoy]

+    group  => root
+    ensure => present
+    mode   => 0444
+    owner  => root

Content differences:

--- /etc/logrotate.d/envoy.orig
+++ /etc/logrotate.d/envoy
@@ -0,0 +1,12 @@
+# logrotate(8) config for envoy
+
+/var/log/envoy/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]

Parameters differences:

--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]

+    mode      => 0440
+    backup    => False
+    show_diff => False
+    group     => envoy
+    ensure    => file
+    owner     => envoy

Compilation results for gitlab1004.wikimedia.org: System changes detected

Catalog differences

Summary

Resources only in the new catalog

Resources modified

Relevant files