{"host": "cp2043.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 4080, "only_in_self": ["Cfssl::Cert[kafka__haproxykafka_kafka_11]", "Cfssl::Cert[kafka__varnishkafka_kafka_11]", "Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh]", "Exec[Generate cert kafka__haproxykafka_kafka_11]", "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh]", "Exec[Generate cert kafka__varnishkafka_kafka_11]", "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "Exec[renew certificate - kafka__haproxykafka_kafka_11]", "Exec[renew certificate - kafka__varnishkafka_kafka_11]", "File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem]"], "only_in_other": ["Cfssl::Cert[kafka__haproxykafka]", "Cfssl::Cert[kafka__varnishkafka]", "Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr]", "Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change]", "Exec[Generate cert kafka__haproxykafka refresh]", "Exec[Generate cert kafka__haproxykafka]", "Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change]", "Exec[Generate cert kafka__varnishkafka refresh]", "Exec[Generate cert kafka__varnishkafka]", "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "Exec[renew certificate - kafka__haproxykafka]", "Exec[renew certificate - kafka__varnishkafka]", "File[/etc/cfssl/csr/kafka__haproxykafka.csr]", "File[/etc/cfssl/csr/kafka__varnishkafka.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.csr]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem]"], "resource_diffs": [{"resource": "Class[Haproxykafka]", "parameters": "--- Class[Haproxykafka].orig\n+++ Class[Haproxykafka]\n\n@@\n-    config => {'workers': 2, 'message_buffer': 100.0, 'sdid': 'haproxykafka@0', 'hostname': 'cp2043.codfw.wmnet', 'socket': {'path': '/var/run/haproxykafka/haproxykafka.sock', 'mode': '0622', 'user': 'haproxykafka', 'group': 'haproxykafka', 'batch_size': 25000, 'batch_deadline': '500ms'}, 'logparser': {'batch_size': 102400, 'batch_deadline': '1000ms'}, 'kafka': {'topic': 'webrequest_frontend_text', 'dlq_topic': 'webrequest_errors', 'flush_timeout': 1000, 'batch_size': 102400, 'batch_deadline': '1000ms', 'rdkafka': {'acks': 'all', 'client.id': 'cp2043', 'security.protocol': 'SSL', 'ssl.ca.location': '/etc/ssl/certs/wmf-ca-certificates.crt', 'ssl.cipher.suites': 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ssl.curves.list': 'P-256', 'ssl.sigalgs.list': 'ECDSA+SHA256', 'queue.buffering.max.messages': 720000, 'queue.buffering.max.ms': 1000, 'batch.num.messages': 9000, 'compression.codec': 'snappy', 'topic.request.required.acks': 1, 'bootstrap.servers': 'kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093', 'ssl.key.location': '/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem', 'ssl.certificate.location': '/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem'}}, 'monitoring': {'enable_pprof': True, 'enable_prometheus': True, 'server_bind': ':9341', 'prometheus_prefix': 'haproxykafka_', 'prometheus_parsing_buckets': [5e-06, 1e-05, 5e-05, 0.0001, 0.0005, 0.001, 0.005], 'prometheus_processing_buckets': [1e-06, 5e-06, 1e-05, 2e-05, 3e-05, 5e-05, 0.0001, 0.0005, 0.001]}, 'transform_rules': {'haproxy_format': '02/Jan/2006:15:04:05.000', 'date_format': '2006-01-02T15:04:05Z', 'date_tz': 'UTC'}}\n+    config => {'workers': 2, 'message_buffer': 100.0, 'sdid': 'haproxykafka@0', 'hostname': 'cp2043.codfw.wmnet', 'socket': {'path': '/var/run/haproxykafka/haproxykafka.sock', 'mode': '0622', 'user': 'haproxykafka', 'group': 'haproxykafka', 'batch_size': 25000, 'batch_deadline': '500ms'}, 'logparser': {'batch_size': 102400, 'batch_deadline': '1000ms'}, 'kafka': {'topic': 'webrequest_frontend_text', 'dlq_topic': 'webrequest_errors', 'flush_timeout': 1000, 'batch_size': 102400, 'batch_deadline': '1000ms', 'rdkafka': {'acks': 'all', 'client.id': 'cp2043', 'security.protocol': 'SSL', 'ssl.ca.location': '/etc/ssl/certs/wmf-ca-certificates.crt', 'ssl.cipher.suites': 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ssl.curves.list': 'P-256', 'ssl.sigalgs.list': 'ECDSA+SHA256', 'queue.buffering.max.messages': 720000, 'queue.buffering.max.ms': 1000, 'batch.num.messages': 9000, 'compression.codec': 'snappy', 'topic.request.required.acks': 1, 'bootstrap.servers': 'kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093', 'ssl.key.location': '/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem', 'ssl.certificate.location': '/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem'}}, 'monitoring': {'enable_pprof': True, 'enable_prometheus': True, 'server_bind': ':9341', 'prometheus_prefix': 'haproxykafka_', 'prometheus_parsing_buckets': [5e-06, 1e-05, 5e-05, 0.0001, 0.0005, 0.001, 0.005], 'prometheus_processing_buckets': [1e-06, 5e-06, 1e-05, 2e-05, 3e-05, 5e-05, 0.0001, 0.0005, 0.001]}, 'transform_rules': {'haproxy_format': '02/Jan/2006:15:04:05.000', 'date_format': '2006-01-02T15:04:05Z', 'date_tz': 'UTC'}}\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr]\n\n-    group  => root\n-    mode   => 0440\n-    owner  => root\n-    ensure => file\n"}, {"resource": "File[/etc/varnishkafka/statsv.conf]", "content": "--- /etc/varnishkafka/statsv.conf.orig\n+++ /etc/varnishkafka/statsv.conf\n@@ -252,8 +252,8 @@\n #\n kafka.security.protocol=SSL\n kafka.ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt\n-kafka.ssl.key.location=/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem\n-kafka.ssl.certificate.location=/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem\n+kafka.ssl.key.location=/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem\n+kafka.ssl.certificate.location=/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem\n kafka.ssl.cipher.suites=ECDHE-ECDSA-AES256-GCM-SHA384\n kafka.ssl.curves.list=P-256\n kafka.ssl.sigalgs.list=ECDSA+SHA256"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]\n\n+    group  => root\n+    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n+    mode   => 0440\n+    owner  => root\n+    ensure => file\n"}, {"resource": "Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__haproxykafka.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr]\n+    subscribe   => File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]\n+    refreshonly => True\n"}, {"resource": "Exec[Generate cert kafka__varnishkafka_kafka_11]", "parameters": "--- Exec[Generate cert kafka__varnishkafka_kafka_11].orig\n+++ Exec[Generate cert kafka__varnishkafka_kafka_11]\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11\n\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem 2>&1)\"\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem]\n\n-    group   => root\n-    owner   => haproxykafka\n-    ensure  => file\n-    require => Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]\n"}, {"resource": "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "parameters": "--- Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem].orig\n+++ Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]\n\n+    subscribe => ['Exec[renew certificate - kafka__varnishkafka]', 'File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]', 'File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem]']\n+    command   => /bin/cat /etc/varnishkafka/ssl/kafka__varnishkafka.pem /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem > /etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/varnishkafka/ssl/kafka__varnishkafka.pem /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem | sha512sum)\"\n\n+    require   => Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change]\n"}, {"resource": "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "parameters": "--- Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem].orig\n+++ Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]\n\n+    subscribe => ['Exec[renew certificate - kafka__haproxykafka]', 'File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]', 'File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem]']\n+    command   => /bin/cat /etc/haproxykafka/ssl/kafka__haproxykafka.pem /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem > /etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/haproxykafka/ssl/kafka__haproxykafka.pem /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem | sha512sum)\"\n\n+    require   => Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change]\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem]\n\n+    group  => root\n+    mode   => 0440\n+    owner  => root\n+    ensure => file\n"}, {"resource": "File[/etc/cfssl/csr/kafka__haproxykafka.csr]", "content": "--- /etc/cfssl/csr/kafka__haproxykafka.csr.orig\n+++ /etc/cfssl/csr/kafka__haproxykafka.csr\n@@ -0,0 +1,13 @@\n+{\n+  \"CN\": \"haproxykafka\",\n+  \"hosts\": [\n+    \"haproxykafka\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 256\n+  },\n+  \"names\": [\n+\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/kafka__haproxykafka.csr].orig\n+++ File[/etc/cfssl/csr/kafka__haproxykafka.csr]\n\n+    group  => root\n+    mode   => 0400\n+    owner  => root\n+    ensure => file\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem]\n\n+    group   => root\n+    owner   => haproxykafka\n+    ensure  => file\n+    require => Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]\n"}, {"resource": "Varnishkafka::Instance[statsv]", "parameters": "--- Varnishkafka::Instance[statsv].orig\n+++ Varnishkafka::Instance[statsv]\n\n@@\n-    ssl_key_location         => /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem\n+    ssl_key_location         => /etc/varnishkafka/ssl/kafka__varnishkafka-key.pem\n@@\n-    ssl_certificate_location => /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem\n+    ssl_certificate_location => /etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]\n\n-    common_name => varnishkafka\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n"}, {"resource": "File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "content": "--- /etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr.orig\n+++ /etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"haproxykafka\",\n-  \"hosts\": [\n-    \"haproxykafka\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr].orig\n+++ File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]\n\n-    group  => root\n-    mode   => 0400\n-    owner  => root\n-    ensure => file\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka.csr]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka.csr].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka.csr]\n\n+    group  => root\n+    mode   => 0440\n+    owner  => root\n+    ensure => file\n"}, {"resource": "Exec[renew certificate - kafka__haproxykafka]", "parameters": "--- Exec[renew certificate - kafka__haproxykafka].orig\n+++ Exec[renew certificate - kafka__haproxykafka]\n\n+    require     => Exec[Generate cert kafka__haproxykafka]\n+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/haproxykafka/ssl/kafka__haproxykafka.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka\n\n+    unless      => /usr/bin/openssl x509 -in /etc/haproxykafka/ssl/kafka__haproxykafka.pem -checkend 952200\n+    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[renew certificate - kafka__varnishkafka]", "parameters": "--- Exec[renew certificate - kafka__varnishkafka].orig\n+++ Exec[renew certificate - kafka__varnishkafka]\n\n+    require     => Exec[Generate cert kafka__varnishkafka]\n+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/varnishkafka/ssl/kafka__varnishkafka.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka\n\n+    unless      => /usr/bin/openssl x509 -in /etc/varnishkafka/ssl/kafka__varnishkafka.pem -checkend 952200\n+    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]\n\n-    group  => root\n-    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n-    mode   => 0440\n-    owner  => root\n-    ensure => file\n"}, {"resource": "File[/etc/cfssl/csr/kafka__varnishkafka.csr]", "content": "--- /etc/cfssl/csr/kafka__varnishkafka.csr.orig\n+++ /etc/cfssl/csr/kafka__varnishkafka.csr\n@@ -0,0 +1,13 @@\n+{\n+  \"CN\": \"varnishkafka\",\n+  \"hosts\": [\n+    \"varnishkafka\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 256\n+  },\n+  \"names\": [\n+\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/kafka__varnishkafka.csr].orig\n+++ File[/etc/cfssl/csr/kafka__varnishkafka.csr]\n\n+    group  => root\n+    mode   => 0400\n+    owner  => root\n+    ensure => file\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]\n\n+    group  => root\n+    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n+    mode   => 0440\n+    owner  => haproxykafka\n+    ensure => file\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem]\n\n+    group   => root\n+    owner   => root\n+    ensure  => file\n+    require => Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]\n"}, {"resource": "Cfssl::Cert[kafka__varnishkafka_kafka_11]", "parameters": "--- Cfssl::Cert[kafka__varnishkafka_kafka_11].orig\n+++ Cfssl::Cert[kafka__varnishkafka_kafka_11]\n\n-    group           => root\n-    outdir          => /etc/varnishkafka/ssl\n-    profile         => kafka_11\n-    names           => []\n-    auto_renew      => True\n-    hosts           => []\n-    label           => kafka\n-    provide_chain   => True\n-    owner           => root\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    notify_services => []\n-    notify          => Service[varnishkafka-all]\n-    common_name     => varnishkafka\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    before_services => []\n-    mode            => 0740\n-    renew_seconds   => 952200\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem]\n\n-    group     => root\n-    backup    => False\n-    mode      => 0440\n-    show_diff => False\n-    owner     => haproxykafka\n-    ensure    => file\n"}, {"resource": "Cfssl::Cert[kafka__varnishkafka]", "parameters": "--- Cfssl::Cert[kafka__varnishkafka].orig\n+++ Cfssl::Cert[kafka__varnishkafka]\n\n+    group           => root\n+    outdir          => /etc/varnishkafka/ssl\n+    names           => []\n+    auto_renew      => True\n+    hosts           => []\n+    label           => kafka\n+    provide_chain   => True\n+    owner           => root\n+    ensure          => present\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    notify_services => []\n+    notify          => Service[varnishkafka-all]\n+    common_name     => varnishkafka\n+    key             => {'algo': 'ecdsa', 'size': 256}\n+    before_services => []\n+    mode            => 0740\n+    renew_seconds   => 952200\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem]\n\n+    group     => root\n+    backup    => False\n+    mode      => 0440\n+    show_diff => False\n+    owner     => root\n+    ensure    => file\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem]\n\n+    group  => root\n+    mode   => 0440\n+    owner  => haproxykafka\n+    ensure => file\n"}, {"resource": "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh]", "parameters": "--- Exec[Generate cert kafka__haproxykafka_kafka_11 refresh].orig\n+++ Exec[Generate cert kafka__haproxykafka_kafka_11 refresh]\n\n-    subscribe   => File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11\n\n-    refreshonly => True\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh]", "parameters": "--- Exec[Generate cert kafka__varnishkafka_kafka_11 refresh].orig\n+++ Exec[Generate cert kafka__varnishkafka_kafka_11 refresh]\n\n-    subscribe   => File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11\n\n-    refreshonly => True\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]\n\n-    group  => root\n-    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n-    mode   => 0440\n-    owner  => haproxykafka\n-    ensure => file\n"}, {"resource": "Exec[renew certificate - kafka__haproxykafka_kafka_11]", "parameters": "--- Exec[renew certificate - kafka__haproxykafka_kafka_11].orig\n+++ Exec[renew certificate - kafka__haproxykafka_kafka_11]\n\n-    require     => Exec[Generate cert kafka__haproxykafka_kafka_11]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11\n\n-    unless      => /usr/bin/openssl x509 -in /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem -checkend 952200\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr]\n\n+    common_name => varnishkafka\n+    key         => {'algo': 'ecdsa', 'size': 256}\n+    hosts       => []\n+    names       => []\n+    ensure      => present\n"}, {"resource": "Cfssl::Cert[kafka__haproxykafka]", "parameters": "--- Cfssl::Cert[kafka__haproxykafka].orig\n+++ Cfssl::Cert[kafka__haproxykafka]\n\n+    group           => root\n+    outdir          => /etc/haproxykafka/ssl\n+    names           => []\n+    auto_renew      => True\n+    hosts           => []\n+    label           => kafka\n+    provide_chain   => True\n+    owner           => haproxykafka\n+    ensure          => present\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    notify_services => []\n+    notify          => Service[haproxykafka]\n+    require         => ['File[/etc/haproxykafka/ssl]', 'User[haproxykafka]']\n+    common_name     => haproxykafka\n+    key             => {'algo': 'ecdsa', 'size': 256}\n+    before_services => []\n+    mode            => 0740\n+    renew_seconds   => 952200\n"}, {"resource": "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change]\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]\n-    subscribe   => File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]\n-    refreshonly => True\n"}, {"resource": "Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change]\n\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__varnishkafka.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr]\n+    subscribe   => File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]\n+    refreshonly => True\n"}, {"resource": "Exec[Generate cert kafka__varnishkafka]", "parameters": "--- Exec[Generate cert kafka__varnishkafka].orig\n+++ Exec[Generate cert kafka__varnishkafka]\n\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__varnishkafka.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka\n\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/varnishkafka/ssl/kafka__varnishkafka.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/varnishkafka/ssl/kafka__varnishkafka-key.pem 2>&1)\"\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "parameters": "--- Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem].orig\n+++ Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]\n\n-    subscribe => ['Exec[renew certificate - kafka__varnishkafka_kafka_11]', 'File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]', 'File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem]']\n-    command   => /bin/cat /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem > /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem | sha512sum)\"\n\n-    require   => Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change]\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr]\n\n-    group  => root\n-    mode   => 0440\n-    owner  => haproxykafka\n-    ensure => file\n"}, {"resource": "File[/etc/haproxykafka/config.yaml]", "content": "--- /etc/haproxykafka/config.yaml.orig\n+++ /etc/haproxykafka/config.yaml\n@@ -33,8 +33,8 @@\n     compression.codec: snappy\n     topic.request.required.acks: 1\n     bootstrap.servers: kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093\n-    ssl.key.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem\"\n-    ssl.certificate.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem\"\n+    ssl.key.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem\"\n+    ssl.certificate.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem\"\n monitoring:\n   enable_pprof: true\n   enable_prometheus: true"}, {"resource": "Exec[renew certificate - kafka__varnishkafka_kafka_11]", "parameters": "--- Exec[renew certificate - kafka__varnishkafka_kafka_11].orig\n+++ Exec[renew certificate - kafka__varnishkafka_kafka_11]\n\n-    require     => Exec[Generate cert kafka__varnishkafka_kafka_11]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11\n\n-    unless      => /usr/bin/openssl x509 -in /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem -checkend 952200\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Cfssl::Cert[kafka__haproxykafka_kafka_11]", "parameters": "--- Cfssl::Cert[kafka__haproxykafka_kafka_11].orig\n+++ Cfssl::Cert[kafka__haproxykafka_kafka_11]\n\n-    group           => root\n-    outdir          => /etc/haproxykafka/ssl\n-    names           => []\n-    hosts           => []\n-    auto_renew      => True\n-    label           => kafka\n-    provide_chain   => True\n-    owner           => haproxykafka\n-    ensure          => present\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    notify_services => []\n-    notify          => Service[haproxykafka]\n-    require         => ['File[/etc/haproxykafka/ssl]', 'User[haproxykafka]']\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    common_name     => haproxykafka\n-    profile         => kafka_11\n-    mode            => 0740\n-    renew_seconds   => 952200\n-    before_services => []\n"}, {"resource": "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change]\n\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]\n-    subscribe   => File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]\n-    refreshonly => True\n"}, {"resource": "File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "content": "--- /etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr.orig\n+++ /etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"varnishkafka\",\n-  \"hosts\": [\n-    \"varnishkafka\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr].orig\n+++ File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]\n\n-    group  => root\n-    mode   => 0400\n-    owner  => root\n-    ensure => file\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem]\n\n-    group  => root\n-    mode   => 0440\n-    owner  => haproxykafka\n-    ensure => file\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem]\n\n-    group     => root\n-    backup    => False\n-    mode      => 0440\n-    show_diff => False\n-    owner     => root\n-    ensure    => file\n"}, {"resource": "Exec[Generate cert kafka__haproxykafka_kafka_11]", "parameters": "--- Exec[Generate cert kafka__haproxykafka_kafka_11].orig\n+++ Exec[Generate cert kafka__haproxykafka_kafka_11]\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11\n\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem 2>&1)\"\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem]\n\n-    group   => root\n-    owner   => root\n-    ensure  => file\n-    require => Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]\n\n-    common_name => haproxykafka\n-    key         => {'algo': 'ecdsa', 'size': 256}\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n"}, {"resource": "Exec[Generate cert kafka__varnishkafka refresh]", "parameters": "--- Exec[Generate cert kafka__varnishkafka refresh].orig\n+++ Exec[Generate cert kafka__varnishkafka refresh]\n\n+    subscribe   => File[/etc/cfssl/csr/kafka__varnishkafka.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__varnishkafka.csr | /usr/bin/cfssljson -bare /etc/varnishkafka/ssl/kafka__varnishkafka\n\n+    refreshonly => True\n+    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[Generate cert kafka__haproxykafka]", "parameters": "--- Exec[Generate cert kafka__haproxykafka].orig\n+++ Exec[Generate cert kafka__haproxykafka]\n\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__haproxykafka.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka\n\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/haproxykafka/ssl/kafka__haproxykafka.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/haproxykafka/ssl/kafka__haproxykafka-key.pem 2>&1)\"\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem]", "parameters": "--- File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem].orig\n+++ File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem]\n\n-    group  => root\n-    mode   => 0440\n-    owner  => root\n-    ensure => file\n"}, {"resource": "Exec[Generate cert kafka__haproxykafka refresh]", "parameters": "--- Exec[Generate cert kafka__haproxykafka refresh].orig\n+++ Exec[Generate cert kafka__haproxykafka refresh]\n\n+    subscribe   => File[/etc/cfssl/csr/kafka__haproxykafka.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/cp2043.codfw.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__haproxykafka.csr | /usr/bin/cfssljson -bare /etc/haproxykafka/ssl/kafka__haproxykafka\n\n+    refreshonly => True\n+    environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "parameters": "--- Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem].orig\n+++ Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]\n\n-    subscribe => ['Exec[renew certificate - kafka__haproxykafka_kafka_11]', 'File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]', 'File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem]']\n-    command   => /bin/cat /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem > /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem | sha512sum)\"\n\n-    require   => Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change]\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka.csr]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka.csr].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka.csr]\n\n+    group  => root\n+    mode   => 0440\n+    owner  => haproxykafka\n+    ensure => file\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr]\n\n+    common_name => haproxykafka\n+    key         => {'algo': 'ecdsa', 'size': 256}\n+    hosts       => []\n+    names       => []\n+    ensure      => present\n"}, {"resource": "File[/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem]", "parameters": "--- File[/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem].orig\n+++ File[/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem]\n\n+    group     => root\n+    backup    => False\n+    mode      => 0440\n+    show_diff => False\n+    owner     => haproxykafka\n+    ensure    => file\n"}], "perc_changed": "2.65%"}, "core": {"total": 4080, "only_in_self": ["Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh]", "Exec[Generate cert kafka__haproxykafka_kafka_11]", "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh]", "Exec[Generate cert kafka__varnishkafka_kafka_11]", "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "Exec[renew certificate - kafka__haproxykafka_kafka_11]", "Exec[renew certificate - kafka__varnishkafka_kafka_11]", "File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem]"], "only_in_other": ["Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change]", "Exec[Generate cert kafka__haproxykafka refresh]", "Exec[Generate cert kafka__haproxykafka]", "Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change]", "Exec[Generate cert kafka__varnishkafka refresh]", "Exec[Generate cert kafka__varnishkafka]", "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "Exec[renew certificate - kafka__haproxykafka]", "Exec[renew certificate - kafka__varnishkafka]", "File[/etc/cfssl/csr/kafka__haproxykafka.csr]", "File[/etc/cfssl/csr/kafka__varnishkafka.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.csr]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem]"], "resource_diffs": [{"resource": "File[/etc/varnishkafka/statsv.conf]", "content": "--- /etc/varnishkafka/statsv.conf.orig\n+++ /etc/varnishkafka/statsv.conf\n@@ -252,8 +252,8 @@\n #\n kafka.security.protocol=SSL\n kafka.ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt\n-kafka.ssl.key.location=/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem\n-kafka.ssl.certificate.location=/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem\n+kafka.ssl.key.location=/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem\n+kafka.ssl.certificate.location=/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem\n kafka.ssl.cipher.suites=ECDHE-ECDSA-AES256-GCM-SHA384\n kafka.ssl.curves.list=P-256\n kafka.ssl.sigalgs.list=ECDSA+SHA256"}, {"resource": "File[/etc/haproxykafka/config.yaml]", "content": "--- /etc/haproxykafka/config.yaml.orig\n+++ /etc/haproxykafka/config.yaml\n@@ -33,8 +33,8 @@\n     compression.codec: snappy\n     topic.request.required.acks: 1\n     bootstrap.servers: kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093\n-    ssl.key.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem\"\n-    ssl.certificate.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem\"\n+    ssl.key.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem\"\n+    ssl.certificate.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem\"\n monitoring:\n   enable_pprof: true\n   enable_prometheus: true"}], "perc_changed": "1.13%"}, "main": {"total": 4080, "only_in_self": ["Cfssl::Cert[kafka__haproxykafka_kafka_11]", "Cfssl::Cert[kafka__varnishkafka_kafka_11]", "Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__haproxykafka_kafka_11 refresh]", "Exec[Generate cert kafka__haproxykafka_kafka_11]", "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__varnishkafka_kafka_11 refresh]", "Exec[Generate cert kafka__varnishkafka_kafka_11]", "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "Exec[renew certificate - kafka__haproxykafka_kafka_11]", "Exec[renew certificate - kafka__varnishkafka_kafka_11]", "File[/etc/cfssl/csr/kafka__haproxykafka_kafka_11.csr]", "File[/etc/cfssl/csr/kafka__varnishkafka_kafka_11.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chain.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chain.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.csr]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem]"], "only_in_other": ["Cfssl::Cert[kafka__haproxykafka]", "Cfssl::Cert[kafka__varnishkafka]", "Cfssl::Csr[/etc/cfssl/csr/kafka__haproxykafka.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__varnishkafka.csr]", "Exec[Generate cert kafka__haproxykafka refresh on intermediate ca change]", "Exec[Generate cert kafka__haproxykafka refresh]", "Exec[Generate cert kafka__haproxykafka]", "Exec[Generate cert kafka__varnishkafka refresh on intermediate ca change]", "Exec[Generate cert kafka__varnishkafka refresh]", "Exec[Generate cert kafka__varnishkafka]", "Exec[create chained cert /etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "Exec[create chained cert /etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "Exec[renew certificate - kafka__haproxykafka]", "Exec[renew certificate - kafka__varnishkafka]", "File[/etc/cfssl/csr/kafka__haproxykafka.csr]", "File[/etc/cfssl/csr/kafka__varnishkafka.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chain.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.csr]", "File[/etc/haproxykafka/ssl/kafka__haproxykafka.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chain.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.csr]", "File[/etc/varnishkafka/ssl/kafka__varnishkafka.pem]"], "resource_diffs": [{"resource": "Class[Haproxykafka]", "parameters": "--- Class[Haproxykafka].orig\n+++ Class[Haproxykafka]\n\n@@\n-    config => {'workers': 2, 'message_buffer': 100.0, 'sdid': 'haproxykafka@0', 'hostname': 'cp2043.codfw.wmnet', 'socket': {'path': '/var/run/haproxykafka/haproxykafka.sock', 'mode': '0622', 'user': 'haproxykafka', 'group': 'haproxykafka', 'batch_size': 25000, 'batch_deadline': '500ms'}, 'logparser': {'batch_size': 102400, 'batch_deadline': '1000ms'}, 'kafka': {'topic': 'webrequest_frontend_text', 'dlq_topic': 'webrequest_errors', 'flush_timeout': 1000, 'batch_size': 102400, 'batch_deadline': '1000ms', 'rdkafka': {'acks': 'all', 'client.id': 'cp2043', 'security.protocol': 'SSL', 'ssl.ca.location': '/etc/ssl/certs/wmf-ca-certificates.crt', 'ssl.cipher.suites': 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ssl.curves.list': 'P-256', 'ssl.sigalgs.list': 'ECDSA+SHA256', 'queue.buffering.max.messages': 720000, 'queue.buffering.max.ms': 1000, 'batch.num.messages': 9000, 'compression.codec': 'snappy', 'topic.request.required.acks': 1, 'bootstrap.servers': 'kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093', 'ssl.key.location': '/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem', 'ssl.certificate.location': '/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem'}}, 'monitoring': {'enable_pprof': True, 'enable_prometheus': True, 'server_bind': ':9341', 'prometheus_prefix': 'haproxykafka_', 'prometheus_parsing_buckets': [5e-06, 1e-05, 5e-05, 0.0001, 0.0005, 0.001, 0.005], 'prometheus_processing_buckets': [1e-06, 5e-06, 1e-05, 2e-05, 3e-05, 5e-05, 0.0001, 0.0005, 0.001]}, 'transform_rules': {'haproxy_format': '02/Jan/2006:15:04:05.000', 'date_format': '2006-01-02T15:04:05Z', 'date_tz': 'UTC'}}\n+    config => {'workers': 2, 'message_buffer': 100.0, 'sdid': 'haproxykafka@0', 'hostname': 'cp2043.codfw.wmnet', 'socket': {'path': '/var/run/haproxykafka/haproxykafka.sock', 'mode': '0622', 'user': 'haproxykafka', 'group': 'haproxykafka', 'batch_size': 25000, 'batch_deadline': '500ms'}, 'logparser': {'batch_size': 102400, 'batch_deadline': '1000ms'}, 'kafka': {'topic': 'webrequest_frontend_text', 'dlq_topic': 'webrequest_errors', 'flush_timeout': 1000, 'batch_size': 102400, 'batch_deadline': '1000ms', 'rdkafka': {'acks': 'all', 'client.id': 'cp2043', 'security.protocol': 'SSL', 'ssl.ca.location': '/etc/ssl/certs/wmf-ca-certificates.crt', 'ssl.cipher.suites': 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ssl.curves.list': 'P-256', 'ssl.sigalgs.list': 'ECDSA+SHA256', 'queue.buffering.max.messages': 720000, 'queue.buffering.max.ms': 1000, 'batch.num.messages': 9000, 'compression.codec': 'snappy', 'topic.request.required.acks': 1, 'bootstrap.servers': 'kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093', 'ssl.key.location': '/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem', 'ssl.certificate.location': '/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem'}}, 'monitoring': {'enable_pprof': True, 'enable_prometheus': True, 'server_bind': ':9341', 'prometheus_prefix': 'haproxykafka_', 'prometheus_parsing_buckets': [5e-06, 1e-05, 5e-05, 0.0001, 0.0005, 0.001, 0.005], 'prometheus_processing_buckets': [1e-06, 5e-06, 1e-05, 2e-05, 3e-05, 5e-05, 0.0001, 0.0005, 0.001]}, 'transform_rules': {'haproxy_format': '02/Jan/2006:15:04:05.000', 'date_format': '2006-01-02T15:04:05Z', 'date_tz': 'UTC'}}\n"}, {"resource": "File[/etc/varnishkafka/statsv.conf]", "content": "--- /etc/varnishkafka/statsv.conf.orig\n+++ /etc/varnishkafka/statsv.conf\n@@ -252,8 +252,8 @@\n #\n kafka.security.protocol=SSL\n kafka.ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt\n-kafka.ssl.key.location=/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem\n-kafka.ssl.certificate.location=/etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem\n+kafka.ssl.key.location=/etc/varnishkafka/ssl/kafka__varnishkafka-key.pem\n+kafka.ssl.certificate.location=/etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem\n kafka.ssl.cipher.suites=ECDHE-ECDSA-AES256-GCM-SHA384\n kafka.ssl.curves.list=P-256\n kafka.ssl.sigalgs.list=ECDSA+SHA256"}, {"resource": "Varnishkafka::Instance[statsv]", "parameters": "--- Varnishkafka::Instance[statsv].orig\n+++ Varnishkafka::Instance[statsv]\n\n@@\n-    ssl_key_location         => /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem\n+    ssl_key_location         => /etc/varnishkafka/ssl/kafka__varnishkafka-key.pem\n@@\n-    ssl_certificate_location => /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem\n+    ssl_certificate_location => /etc/varnishkafka/ssl/kafka__varnishkafka.chained.pem\n"}, {"resource": "File[/etc/haproxykafka/config.yaml]", "content": "--- /etc/haproxykafka/config.yaml.orig\n+++ /etc/haproxykafka/config.yaml\n@@ -33,8 +33,8 @@\n     compression.codec: snappy\n     topic.request.required.acks: 1\n     bootstrap.servers: kafka-jumbo1010.eqiad.wmnet:9093,kafka-jumbo1011.eqiad.wmnet:9093,kafka-jumbo1012.eqiad.wmnet:9093,kafka-jumbo1013.eqiad.wmnet:9093,kafka-jumbo1014.eqiad.wmnet:9093,kafka-jumbo1015.eqiad.wmnet:9093,kafka-jumbo1016.eqiad.wmnet:9093,kafka-jumbo1017.eqiad.wmnet:9093,kafka-jumbo1018.eqiad.wmnet:9093\n-    ssl.key.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11-key.pem\"\n-    ssl.certificate.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka_kafka_11.chained.pem\"\n+    ssl.key.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka-key.pem\"\n+    ssl.certificate.location: \"/etc/haproxykafka/ssl/kafka__haproxykafka.chained.pem\"\n monitoring:\n   enable_pprof: true\n   enable_prometheus: true"}], "perc_changed": "1.37%"}}}