--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]
@@
- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']
+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']
Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
- Parameters differences:
--- Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem].orig
+++ Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
+ unless => /usr/bin/test "$(/bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem | sha512sum)" == "$(/bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem | sha512sum)"
+ require => Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]
+ command => /bin/cat /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem > /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem
+ subscribe => ['Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]', 'File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]', 'File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]']
- Firewall::Service[envoy_tls_termination_src_sets]
- Parameters differences:
--- Firewall::Service[envoy_tls_termination_src_sets].orig
+++ Firewall::Service[envoy_tls_termination_src_sets]
+ proto => tcp
+ prio => 10
+ port => 8443
+ ensure => present
+ src_sets => ['CACHES', 'BASTION_HOSTS']
+ unrestricted_access => False
+ notrack => True
+ desc =>
- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]
- Parameters differences:
--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr]
+ owner => envoy
+ group => envoy
+ mode => 0440
+ ensure => file
- Class[Profile::Envoy]
- Parameters differences:
--- Class[Profile::Envoy].orig
+++ Class[Profile::Envoy]
+ cluster => misc
+ runtime => {}
+ ensure => present
+ require => ['Class[Profile::Tcp_fast_open]']
- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]
- Parameters differences:
--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change].orig
+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh on intermediate ca change]
+ environment => ['GODEBUG=x509ignoreCN=0']
+ refreshonly => True
+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server
+ subscribe => File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
+ require => Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
- File[/etc/sysctl.d/70-TCP-Fast-Open.conf]
- Parameters differences:
--- File[/etc/sysctl.d/70-TCP-Fast-Open.conf].orig
+++ File[/etc/sysctl.d/70-TCP-Fast-Open.conf]
+ owner => root
+ group => root
+ notify => Exec[update_sysctl]
+ ensure => present
- Content differences:
--- /etc/sysctl.d/70-TCP-Fast-Open.conf.orig
+++ /etc/sysctl.d/70-TCP-Fast-Open.conf
@@ -0,0 +1,2 @@
+# sysctl parameters managed by Puppet.
+net.ipv4.tcp_fastopen = 3
- File[/etc/envoy/ssl]
- Parameters differences:
--- File[/etc/envoy/ssl].orig
+++ File[/etc/envoy/ssl]
+ mode => 0740
+ recurse => True
+ ensure => directory
+ owner => envoy
+ group => envoy
- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
- Parameters differences:
--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
+ mode => 0440
+ group => envoy
+ ensure => file
+ owner => envoy
+ source => puppet:///modules/profile/pki/intermediates/discovery2026-cert.pem
- File[/etc/logrotate.d/envoy]
- Parameters differences:
--- File[/etc/logrotate.d/envoy].orig
+++ File[/etc/logrotate.d/envoy]
+ owner => root
+ group => root
+ mode => 0444
+ ensure => present
- Content differences:
--- /etc/logrotate.d/envoy.orig
+++ /etc/logrotate.d/envoy
@@ -0,0 +1,12 @@
+# logrotate(8) config for envoy
+
+/var/log/envoy/*.log {
+ daily
+ copytruncate
+ missingok
+ compress
+ delaycompress
+ notifempty
+ rotate 15
+ size 256M
+}
- File[/etc/systemd/system/envoyproxy.service.d]
- Parameters differences:
--- File[/etc/systemd/system/envoyproxy.service.d].orig
+++ File[/etc/systemd/system/envoyproxy.service.d]
+ owner => root
+ group => root
+ mode => 0555
+ ensure => directory
- File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]
- Parameters differences:
--- File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft].orig
+++ File[/etc/nftables/input/10_envoy_tls_termination_src_sets.nft]
+ mode => 0444
+ notify => ['Service[nftables]']
+ tag => nft
+ ensure => present
+ owner => root
+ group => root
+ require => ['Nftables::Set[CACHES]', 'Nftables::Set[BASTION_HOSTS]']
- Content differences:
--- /etc/nftables/input/10_envoy_tls_termination_src_sets.nft.orig
+++ /etc/nftables/input/10_envoy_tls_termination_src_sets.nft
@@ -0,0 +1,6 @@
+# Managed by puppet
+#
+ip saddr @BASTION_HOSTS_ipv4 tcp dport { 8443 } accept
+ip saddr @CACHES_ipv4 tcp dport { 8443 } accept
+ip6 saddr @BASTION_HOSTS_ipv6 tcp dport { 8443 } accept
+ip6 saddr @CACHES_ipv6 tcp dport { 8443 } accept
- Envoyproxy::Tls_terminator[8443]
- Parameters differences:
--- Envoyproxy::Tls_terminator[8443].orig
+++ Envoyproxy::Tls_terminator[8443]
+ response_headers_to_add => {}
+ rate_limit_enabled => False
+ has_error_page => False
+ request_headers_to_add => {}
+ connection_buffer_limit => 268435456
+ local_otel_reporting_pct => 0.0
+ upstream_idle_timeout => 900.0
+ downstream_idle_timeout => 125.0
+ retry_policy => {'num_retries': 1, 'retry_on': '5xx'}
+ idle_timeout => 100.0
+ global_key_path => /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem
+ max_requests_per_conn => 1
+ upstream_response_timeout => 0.0
+ stream_idle_timeout => 1800.0
+ upstreams => [{'server_names': ['*'], 'cert_path': None, 'key_path': None, 'upstream_port': 443, 'upstream_addr': 'gitlab1004.wikimedia.org', 'upstream_tls': True}]
+ websockets => False
+ access_log => False
+ header_key_format => none
+ fast_open_queue => 150
+ use_remote_address => False
+ connect_timeout => 1.0
+ listen_ipv6 => False
+ global_cert_path => /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem
- File[/etc/envoy]
- Parameters differences:
--- File[/etc/envoy].orig
+++ File[/etc/envoy]
+ owner => root
+ group => root
+ mode => 0755
+ ensure => directory
- File[/etc/envoy/envoy.yaml]
- Parameters differences:
--- File[/etc/envoy/envoy.yaml].orig
+++ File[/etc/envoy/envoy.yaml]
+ owner => root
+ group => root
+ mode => 0644
+ ensure => present
- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]
- Parameters differences:
--- Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh].orig
+++ Exec[Generate cert discovery2026__gitlab_wikimedia_org_server refresh]
+ environment => ['GODEBUG=x509ignoreCN=0']
+ refreshonly => True
+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server
+ subscribe => File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
- Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]
- Parameters differences:
--- Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server].orig
+++ Exec[renew certificate - discovery2026__gitlab_wikimedia_org_server]
+ environment => ['GODEBUG=x509ignoreCN=0']
+ unless => /usr/bin/openssl x509 -in /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem -checkend 952200
+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/gitlab1004.wikimedia.org.pem -label discovery2026 -profile server /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server
+ require => Exec[Generate cert discovery2026__gitlab_wikimedia_org_server]
- Nftables::Service[envoy_tls_termination_src_sets]
- Parameters differences:
--- Nftables::Service[envoy_tls_termination_src_sets].orig
+++ Nftables::Service[envoy_tls_termination_src_sets]
+ proto => tcp
+ prio => 10
+ port => 8443
+ ensure => present
+ src_sets => ['CACHES', 'BASTION_HOSTS']
+ unrestricted_access => False
+ notrack => True
+ desc =>
- Class[Envoyproxy]
- Parameters differences:
--- Class[Envoyproxy].orig
+++ Class[Envoyproxy]
+ service_cluster => misc
+ runtime => {}
+ admin_port => 9631
+ ensure => present
+ use_override => True
+ pkg_name => envoyproxy
- File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]
- Parameters differences:
--- File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf].orig
+++ File[/etc/systemd/system/envoyproxy.service.d/puppet-override.conf]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]
+ ensure => present
+ owner => root
+ group => root
- Content differences:
--- /etc/systemd/system/envoyproxy.service.d/puppet-override.conf.orig
+++ /etc/systemd/system/envoyproxy.service.d/puppet-override.conf
@@ -0,0 +1,26 @@
+[Service]
+# TODO: support hot restarts, see for instance https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter
+# Ensure envoy can handle enough file descriptors
+LimitNOFILE=65536
+# Allow envoy to bind on a privileged port
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+ExecStart=
+# We use the hot-restarter script to start envoy. Please note that "restart"
+# in systemd terms is stop + start, so it will not hot-restart envoy.
+# We will have to use "reload" to obtain the desired result -
+# and have puppet run 'systemctl reload envoyproxy.service' instead.
+Environment="ENVOY_CONFIG=/etc/envoy/envoy.yaml"
+Environment="SERVICE_ZONE=eqiad"
+Environment="SERVICE_CLUSTER=misc"
+Environment="SERVICE_NODE=gitlab1004.wikimedia.org"
+ExecStart=/usr/local/sbin/envoyproxy-hot-restarter /usr/local/sbin/envoyproxy-start
+ExecReload=
+ExecReload=/bin/kill -s HUP $MAINPID
+
+# Security settings
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ReadWritePaths=/var/log/envoy/
- Class[Profile::Tlsproxy::Envoy]
- Parameters differences:
--- Class[Profile::Tlsproxy::Envoy].orig
+++ Class[Profile::Tlsproxy::Envoy]
+ cfssl_options => {'hosts': ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']}
+ firewall_src_sets => ['CACHES', 'BASTION_HOSTS']
+ tls_port => 8443
+ upstream_tls => True
+ rate_limit_enabled => False
+ request_headers_to_add => {}
+ connection_buffer_limit => 268435456
+ local_otel_reporting_pct => 0.0
+ upstream_idle_timeout => 900.0
+ sni_support => no
+ upstream_addr => gitlab1004.wikimedia.org
+ downstream_idle_timeout => 125.0
+ retries => True
+ services => [{'server_names': ['*'], 'port': 443}]
+ idle_timeout => 100.0
+ firewall_global => False
+ upstream_response_timeout => 0.0
+ ssl_provider => cfssl
+ cfssl_label => discovery2026
+ stream_idle_timeout => 1800.0
+ websockets => False
+ access_log => False
+ header_key_format => none
+ fast_open_queue => 150
+ use_remote_address => False
+ global_cert_name => gitlab.wikimedia.org
+ listen_ipv6 => False
+ error_page => False
+ max_requests => 1
+ require => ['Class[Profile::Envoy]']
- Rsyslog::Conf[envoy]
- Parameters differences:
--- Rsyslog::Conf[envoy].orig
+++ Rsyslog::Conf[envoy]
+ priority => 40
+ mode => 0444
+ ensure => present
+ require => File[/var/log/envoy]
- Envoyproxy::Conf[cluster_local_port_443]
- Parameters differences:
--- Envoyproxy::Conf[cluster_local_port_443].orig
+++ Envoyproxy::Conf[cluster_local_port_443]
+ priority => 0
+ conf_type => cluster
- Systemd::Syslog[envoy]
- Parameters differences:
--- Systemd::Syslog[envoy].orig
+++ Systemd::Syslog[envoy]
+ readable_by => group
+ log_filename => syslog.log
+ owner => envoy
+ base_dir => /var/log
+ force_stop => True
+ ensure => present
+ programname_comparison => startswith
+ group => envoy
+ require => Package[envoyproxy]
- Systemd::Service[envoyproxy.service]
- Parameters differences:
--- Systemd::Service[envoyproxy.service].orig
+++ Systemd::Service[envoyproxy.service]
+ service_params => {'restart': '/bin/systemctl reload envoyproxy.service'}
+ monitoring_enabled => False
+ override => True
+ restart => False
+ monitoring_contact_group => admins
+ migration_task => T407130
+ unit_type => service
+ monitoring_critical => False
+ ensure => present
- File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]
- Parameters differences:
--- File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml].orig
+++ File[/etc/envoy/listeners.d/00-tls_terminator_8443.yaml]
+ mode => 0444
+ notify => Exec[verify-envoy-config]
+ ensure => present
+ owner => root
+ group => root
- Content differences:
--- /etc/envoy/listeners.d/00-tls_terminator_8443.yaml.orig
+++ /etc/envoy/listeners.d/00-tls_terminator_8443.yaml
@@ -0,0 +1,57 @@
+address:
+ socket_address:
+ port_value: 8443
+ address: 0.0.0.0
+per_connection_buffer_limit_bytes: 268435456
+listener_filters:
+- name: "envoy.filters.listener.tls_inspector"
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
+tcp_fast_open_queue_length: 150
+filter_chains:
+# Non-SNI support
+- transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+ common_tls_context:
+ tls_certificates:
+ - certificate_chain: { filename: "/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem" }
+ private_key: { filename: "/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem" }
+ filters:
+ - name: envoy.http_connection_manager
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+ stat_prefix: ingress_http
+ common_http_protocol_options:
+ idle_timeout: 125.0s
+ stream_idle_timeout: 1800.0s
+ route_config:
+ virtual_hosts:
+ - name: non_sni_port_443
+ domains: ["*"]
+ routes:
+ - match: { prefix: "/" }
+ route:
+ cluster: local_port_443
+ timeout: 0.0s
+ idle_timeout: 900.0s
+ retry_policy:
+ num_retries: 1
+ retry_on: "5xx"
+ http_filters:
+ - name: envoy.filters.http.router
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+ http_protocol_options:
+ accept_http_10: true
+ server_header_transformation: APPEND_IF_ABSENT
+ internal_address_config:
+ unix_sockets: true
+ cidr_ranges:
+ - address_prefix: 10.0.0.0
+ prefix_len: 8
+ - address_prefix: 127.0.0.1
+ prefix_len: 32
+ - address_prefix: ::1
+ prefix_len: 128
- Class[Adduser]
- Parameters differences:
--- Class[Adduser].orig
+++ Class[Adduser]
@@
- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']
+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[nftables]', 'Package[conntrack]', 'Package[bacula-fd]', 'Package[envoyproxy]', 'Package[rsync]', 'Package[python3-ldap]', 'Package[python3-gitlab]', 'Package[s3cmd]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[gitlab-ce]']
- Package[envoyproxy]
- Parameters differences:
--- Package[envoyproxy].orig
+++ Package[envoyproxy]
+ ensure => present
+ provider => apt
- File[/etc/envoy/admin-config.yaml]
- Parameters differences:
--- File[/etc/envoy/admin-config.yaml].orig
+++ File[/etc/envoy/admin-config.yaml]
+ mode => 0555
+ notify => Exec[verify-envoy-config]
+ ensure => present
+ owner => root
+ group => root
- Content differences:
--- /etc/envoy/admin-config.yaml.orig
+++ /etc/envoy/admin-config.yaml
@@ -0,0 +1,10 @@
+---
+access_log:
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+ path: "/var/log/envoy/admin-access.log"
+address:
+ socket_address:
+ address: 0.0.0.0
+ port_value: 9631
+ignore_global_conn_limit: true
- Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]
- Parameters differences:
--- Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server].orig
+++ Cfssl::Cert[discovery2026__gitlab_wikimedia_org_server]
+ mode => 0740
+ notify => Service[envoyproxy.service]
+ provide_chain => True
+ before => Exec[verify-envoy-config]
+ environment => ['GODEBUG=x509ignoreCN=0']
+ auto_renew => True
+ renew_seconds => 952200
+ group => envoy
+ common_name => gitlab.wikimedia.org
+ key => {'algo': 'ecdsa', 'size': 256}
+ label => discovery2026
+ owner => envoy
+ notify_services => []
+ before_services => []
+ names => []
+ ensure => present
+ hosts => ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']
+ profile => server
+ outdir => /etc/envoy/ssl
+ require => Package[envoyproxy]
- File[/usr/local/sbin/build-envoy-config]
- Parameters differences:
--- File[/usr/local/sbin/build-envoy-config].orig
+++ File[/usr/local/sbin/build-envoy-config]
+ mode => 0555
+ group => root
+ ensure => present
+ owner => root
+ source => puppet:///modules/envoyproxy/build_envoy_config.py
- Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]
- Parameters differences:
--- Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)].orig
+++ Exec[systemd daemon-reload for envoyproxy.service (envoyproxy.service)]
+ before => ['Service[envoyproxy.service]']
+ refreshonly => True
+ command => /bin/systemctl daemon-reload
- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]
- Parameters differences:
--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server-key.pem]
+ mode => 0440
+ group => envoy
+ ensure => file
+ owner => envoy
+ backup => False
+ show_diff => False
- Envoyproxy::Cluster[cluster_local_port_443]
- Parameters differences:
--- Envoyproxy::Cluster[cluster_local_port_443].orig
+++ Envoyproxy::Cluster[cluster_local_port_443]
+ priority => 0
- Envoyproxy::Conf[tls_terminator_8443]
- Parameters differences:
--- Envoyproxy::Conf[tls_terminator_8443].orig
+++ Envoyproxy::Conf[tls_terminator_8443]
+ priority => 0
+ conf_type => listener
- File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
- Parameters differences:
--- File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr].orig
+++ File[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
+ owner => root
+ group => root
+ mode => 0400
+ ensure => file
- Content differences:
--- /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr.orig
+++ /etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr
@@ -0,0 +1,19 @@
+{
+ "CN": "gitlab.wikimedia.org",
+ "hosts": [
+ "gitlab.wikimedia.org",
+ "gitlab-replica-a.wikimedia.org",
+ "gitlab-replica-b.wikimedia.org",
+ "gitlab.discovery.wmnet",
+ "gitlab-replica-a.discovery.wmnet",
+ "gitlab-replica-b.discovery.wmnet",
+ "gitlab1004.wikimedia.org"
+ ],
+ "key": {
+ "algo": "ecdsa",
+ "size": 256
+ },
+ "names": [
+
+ ]
+}
- Exec[verify-envoy-config]
- Parameters differences:
--- Exec[verify-envoy-config].orig
+++ Exec[verify-envoy-config]
+ refreshonly => True
+ notify => Systemd::Service[envoyproxy.service]
+ user => root
+ command => /usr/local/sbin/build-envoy-config -c '/etc/envoy'
+ require => Package[envoyproxy]
- File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]
- Parameters differences:
--- File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml].orig
+++ File[/etc/envoy/clusters.d/00-cluster_local_port_443.yaml]
+ mode => 0444
+ notify => Exec[verify-envoy-config]
+ ensure => present
+ owner => root
+ group => root
- Content differences:
--- /etc/envoy/clusters.d/00-cluster_local_port_443.yaml.orig
+++ /etc/envoy/clusters.d/00-cluster_local_port_443.yaml
@@ -0,0 +1,28 @@
+name: local_port_443
+connect_timeout: 1.0s
+typed_extension_protocol_options:
+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+ "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+ common_http_protocol_options:
+ idle_timeout: 100.0s
+ max_requests_per_connection: 1
+ use_downstream_protocol_config: {}
+type: strict_dns
+lb_policy: round_robin
+load_assignment:
+ cluster_name: local_port_443
+ endpoints:
+ - lb_endpoints:
+ - endpoint:
+ address:
+ socket_address:
+ address: gitlab1004.wikimedia.org
+ port_value: 443
+transport_socket:
+ name: envoy.transport_sockets.tls
+ typed_config:
+ "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+ common_tls_context:
+ validation_context:
+ trusted_ca:
+ filename: /etc/ssl/certs/ca-certificates.crt
- File_line[deselect_dst_root_ca_x3]
- Parameters differences:
--- File_line[deselect_dst_root_ca_x3].orig
+++ File_line[deselect_dst_root_ca_x3]
+ notify => Exec[update-ca-certificates]
+ match => ^!?mozilla/DST_Root_CA_X3\.crt$
+ line => !mozilla/DST_Root_CA_X3.crt
+ path => /etc/ca-certificates.conf
+ append_on_no_match => False
+ require => Package[ca-certificates]
- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]
- Parameters differences:
--- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem].orig
+++ File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chained.pem]
+ owner => envoy
+ group => envoy
+ ensure => file
+ require => Exec[create chained cert /etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.chain.pem]
- File[/etc/envoy/stats-config.yaml]
- Parameters differences:
--- File[/etc/envoy/stats-config.yaml].orig
+++ File[/etc/envoy/stats-config.yaml]
+ mode => 0555
+ group => root
+ notify => Exec[verify-envoy-config]
+ ensure => present
+ owner => root
+ source => puppet:///modules/envoyproxy/stats-config.yaml
- File[/usr/local/sbin/envoyproxy-hot-restarter]
- Parameters differences:
--- File[/usr/local/sbin/envoyproxy-hot-restarter].orig
+++ File[/usr/local/sbin/envoyproxy-hot-restarter]
+ mode => 0555
+ group => root
+ ensure => present
+ owner => root
+ source => puppet:///modules/envoyproxy/hot_restarter/hot-restarter.py
- File[/etc/envoy/listeners.d]
- Parameters differences:
--- File[/etc/envoy/listeners.d].orig
+++ File[/etc/envoy/listeners.d]
+ mode => 0755
+ recurse => True
+ purge => True
+ ensure => directory
+ owner => root
+ group => root
- Sysctl::Parameters[TCP Fast Open]
- Parameters differences:
--- Sysctl::Parameters[TCP Fast Open].orig
+++ Sysctl::Parameters[TCP Fast Open]
+ priority => 70
+ no_priority_prefix => False
+ ensure => present
+ values => {'net.ipv4.tcp_fastopen': 3}
- Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
- Parameters differences:
--- Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/discovery2026__gitlab_wikimedia_org_server.csr]
+ key => {'algo': 'ecdsa', 'size': 256}
+ names => []
+ ensure => present
+ hosts => ['gitlab.wikimedia.org', 'gitlab-replica-a.wikimedia.org', 'gitlab-replica-b.wikimedia.org', 'gitlab.discovery.wmnet', 'gitlab-replica-a.discovery.wmnet', 'gitlab-replica-b.discovery.wmnet', 'gitlab1004.wikimedia.org']
+ common_name => gitlab.wikimedia.org
- Systemd::Unit[envoyproxy.service]
- Parameters differences:
--- Systemd::Unit[envoyproxy.service].orig
+++ Systemd::Unit[envoyproxy.service]
+ ensure => present
+ override => True
+ unit => envoyproxy.service
+ restart => False
+ override_filename => puppet-override.conf
+ require => ['Class[Systemd]']
- File[/etc/envoy/clusters.d]
- Parameters differences:
--- File[/etc/envoy/clusters.d].orig
+++ File[/etc/envoy/clusters.d]
+ mode => 0755
+ recurse => True
+ purge => True
+ ensure => directory
+ owner => root
+ group => root
- File[/etc/envoy/runtime.yaml]
- Parameters differences:
--- File[/etc/envoy/runtime.yaml].orig
+++ File[/etc/envoy/runtime.yaml]
+ mode => 0555
+ notify => Exec[verify-envoy-config]
+ ensure => absent
+ owner => root
+ group => root
- Content differences:
--- /etc/envoy/runtime.yaml.orig
+++ /etc/envoy/runtime.yaml
@@ -0,0 +1 @@
+--- {}
- Logrotate::Conf[envoy]
- Parameters differences:
--- Logrotate::Conf[envoy].orig
+++ Logrotate::Conf[envoy]
+ ensure => present
- File[/etc/envoy/ssl/discovery2026__gitlab_wikimedia_org_server.pem]