{"host": "kafka-jumbo1010.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2998, "only_in_self": ["Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Cfssl::Cert[kafka__kafka_mirror_maker_kafka_11]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11]", "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11]", "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem]"], "only_in_other": ["Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet]", "Cfssl::Cert[kafka__kafka_mirror_maker]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet]", "Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka_mirror_maker refresh]", "Exec[Generate cert kafka__kafka_mirror_maker]", "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet]", "Exec[renew certificate - kafka__kafka_mirror_maker]", "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem]"], "resource_diffs": [{"resource": "Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet].orig\n+++ Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet]\n\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    outdir          => /etc/kafka/ssl\n+    provide_chain   => True\n+    notify          => Sslcert::X509_to_pkcs12[kafka_keystore]\n+    group           => root\n+    ensure          => present\n+    mode            => 0740\n+    notify_services => []\n+    renew_seconds   => 2678400\n+    before_services => []\n+    names           => []\n+    auto_renew      => True\n+    common_name     => kafka-jumbo1010.eqiad.wmnet\n+    require         => Class[Confluent::Kafka::Common]\n+    key             => {'algo': 'ecdsa', 'size': 256}\n+    owner           => kafka\n+    hosts           => ['kafka-jumbo1010', 'kafka-jumbo1010.eqiad.wmnet', '10.64.130.10', '2620:0:861:109:10:64:130:10', 'kafka-jumbo-eqiad.external-services.svc.cluster.local']\n+    label           => kafka\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]\n\n+    hosts       => ['kafka-jumbo1010', 'kafka-jumbo1010.eqiad.wmnet', '10.64.130.10', '2620:0:861:109:10:64:130:10', 'kafka-jumbo-eqiad.external-services.svc.cluster.local']\n+    names       => []\n+    ensure      => present\n+    common_name => kafka-jumbo1010.eqiad.wmnet\n+    key         => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem]\n\n-    ensure  => file\n-    require => Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]\n-    owner   => kafka\n-    group   => root\n"}, {"resource": "Exec[Generate cert kafka__kafka_mirror_maker]", "parameters": "--- Exec[Generate cert kafka__kafka_mirror_maker].orig\n+++ Exec[Generate cert kafka__kafka_mirror_maker]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem 2>&1)\"\n\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__kafka_mirror_maker.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker\n\n"}, {"resource": "Exec[Generate cert kafka__kafka_mirror_maker refresh]", "parameters": "--- Exec[Generate cert kafka__kafka_mirror_maker refresh].orig\n+++ Exec[Generate cert kafka__kafka_mirror_maker refresh]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    refreshonly => True\n+    subscribe   => File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__kafka_mirror_maker.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker\n\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem]\n\n-    ensure => file\n-    mode   => 0440\n-    owner  => kafka\n-    group  => kafka\n"}, {"resource": "Exec[sslcert generate kafka_keystore.p12]", "parameters": "--- Exec[sslcert generate kafka_keystore.p12].orig\n+++ Exec[sslcert generate kafka_keystore.p12]\n\n@@\n-    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:qwerty' -in /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n+    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:qwerty' -in /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n@@\n-    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem -inkey /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem -out /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -password 'pass:qwerty'\n+    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem -inkey /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem -out /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -password 'pass:qwerty'\n"}, {"resource": "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh]", "parameters": "--- Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh].orig\n+++ Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    subscribe   => File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11\n\n"}, {"resource": "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "parameters": "--- Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11].orig\n+++ Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11\n\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]\n\n+    hosts       => []\n+    names       => []\n+    ensure      => present\n+    common_name => kafka_mirror_maker\n+    key         => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr\n@@ -0,0 +1,17 @@\n+{\n+  \"CN\": \"kafka-jumbo1010.eqiad.wmnet\",\n+  \"hosts\": [\n+    \"kafka-jumbo1010\",\n+    \"kafka-jumbo1010.eqiad.wmnet\",\n+    \"10.64.130.10\",\n+    \"2620:0:861:109:10:64:130:10\",\n+    \"kafka-jumbo-eqiad.external-services.svc.cluster.local\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 256\n+  },\n+  \"names\": [\n+\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]\n\n+    ensure => file\n+    mode   => 0400\n+    owner  => root\n+    group  => root\n"}, {"resource": "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet]", "parameters": "--- Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet].orig\n+++ Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem 2>&1)\"\n\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet\n\n"}, {"resource": "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11\n\n-    refreshonly => True\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem]\n\n+    ensure => file\n+    mode   => 0440\n+    owner  => kafka\n+    group  => root\n"}, {"resource": "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11]", "parameters": "--- Exec[Generate cert kafka__kafka_mirror_maker_kafka_11].orig\n+++ Exec[Generate cert kafka__kafka_mirror_maker_kafka_11]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem 2>&1)\"\n\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11\n\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem]\n\n+    ensure => file\n+    mode   => 0440\n+    owner  => kafka\n+    group  => kafka\n"}, {"resource": "Exec[renew certificate - kafka__kafka_mirror_maker]", "parameters": "--- Exec[renew certificate - kafka__kafka_mirror_maker].orig\n+++ Exec[renew certificate - kafka__kafka_mirror_maker]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    unless      => /usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem -checkend 952200\n+    require     => Exec[Generate cert kafka__kafka_mirror_maker]\n+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker\n\n"}, {"resource": "File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "content": "--- /etc/cfssl/csr/kafka__kafka_mirror_maker.csr.orig\n+++ /etc/cfssl/csr/kafka__kafka_mirror_maker.csr\n@@ -0,0 +1,13 @@\n+{\n+  \"CN\": \"kafka_mirror_maker\",\n+  \"hosts\": [\n+    \"kafka_mirror_maker\"\n+  ],\n+  \"key\": {\n+    \"algo\": \"ecdsa\",\n+    \"size\": 256\n+  },\n+  \"names\": [\n+\n+  ]\n+}", "parameters": "--- File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr].orig\n+++ File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]\n\n+    ensure => file\n+    mode   => 0400\n+    owner  => root\n+    group  => root\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem]\n\n+    ensure  => file\n+    require => Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]\n+    owner   => kafka\n+    group   => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]\n\n-    hosts       => ['kafka-jumbo1010', 'kafka-jumbo1010.eqiad.wmnet', '10.64.130.10', '2620:0:861:109:10:64:130:10', 'kafka-jumbo-eqiad.external-services.svc.cluster.local']\n-    names       => []\n-    ensure      => present\n-    common_name => kafka-jumbo1010.eqiad.wmnet\n-    key         => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    refreshonly => True\n+    subscribe   => File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet\n\n"}, {"resource": "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem].orig\n+++ Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]\n\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem | sha512sum)\"\n\n+    subscribe => ['Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet]', 'File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]', 'File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem]']\n+    require   => Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change]\n+    command   => /bin/cat /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem > /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr]\n\n+    ensure => file\n+    mode   => 0440\n+    owner  => kafka\n+    group  => root\n"}, {"resource": "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "parameters": "--- Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11].orig\n+++ Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem -checkend 2678400\n-    require     => Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11\n\n"}, {"resource": "Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    subscribe   => File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__kafka_mirror_maker.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker\n\n+    refreshonly => True\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem]\n\n-    ensure => file\n-    mode   => 0440\n-    owner  => kafka\n-    group  => root\n"}, {"resource": "Sslcert::X509_to_pkcs12[kafka_keystore]", "parameters": "--- Sslcert::X509_to_pkcs12[kafka_keystore].orig\n+++ Sslcert::X509_to_pkcs12[kafka_keystore]\n\n@@\n-    public_key  => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem\n+    public_key  => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem\n@@\n-    private_key => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem\n+    private_key => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem]\n\n-    owner     => kafka\n-    backup    => False\n-    show_diff => False\n-    group     => kafka\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]\n\n-    ensure => file\n-    mode   => 0440\n-    owner  => kafka\n-    group  => root\n"}, {"resource": "Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "parameters": "--- Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11].orig\n+++ Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]\n\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    outdir          => /etc/kafka/ssl\n-    provide_chain   => True\n-    profile         => kafka_11\n-    notify          => Sslcert::X509_to_pkcs12[kafka_keystore]\n-    group           => root\n-    ensure          => present\n-    mode            => 0740\n-    notify_services => []\n-    renew_seconds   => 2678400\n-    before_services => []\n-    names           => []\n-    auto_renew      => True\n-    common_name     => kafka-jumbo1010.eqiad.wmnet\n-    require         => Class[Confluent::Kafka::Common]\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    owner           => kafka\n-    hosts           => ['kafka-jumbo1010', 'kafka-jumbo1010.eqiad.wmnet', '10.64.130.10', '2620:0:861:109:10:64:130:10', 'kafka-jumbo-eqiad.external-services.svc.cluster.local']\n-    label           => kafka\n"}, {"resource": "Exec[sslcert generate kafka_mirror_keystore.p12]", "parameters": "--- Exec[sslcert generate kafka_mirror_keystore.p12].orig\n+++ Exec[sslcert generate kafka_mirror_keystore.p12]\n\n@@\n-    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:' -in /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n+    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:' -in /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n@@\n-    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem -inkey /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem -out /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -password 'pass:'\n+    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem -inkey /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem -out /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -password 'pass:'\n"}, {"resource": "Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11]", "parameters": "--- Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11].orig\n+++ Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    unless      => /usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem -checkend 952200\n-    require     => Exec[Generate cert kafka__kafka_mirror_maker_kafka_11]\n-    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11\n\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]\n\n-    hosts       => []\n-    names       => []\n-    ensure      => present\n-    common_name => kafka_mirror_maker\n-    key         => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "Cfssl::Cert[kafka__kafka_mirror_maker]", "parameters": "--- Cfssl::Cert[kafka__kafka_mirror_maker].orig\n+++ Cfssl::Cert[kafka__kafka_mirror_maker]\n\n+    environment     => ['GODEBUG=x509ignoreCN=0']\n+    outdir          => /etc/kafka/mirror/ssl\n+    provide_chain   => True\n+    notify          => Sslcert::X509_to_pkcs12[kafka_mirror_keystore]\n+    group           => kafka\n+    ensure          => present\n+    mode            => 0740\n+    notify_services => []\n+    renew_seconds   => 952200\n+    before_services => []\n+    names           => []\n+    auto_renew      => True\n+    common_name     => kafka_mirror_maker\n+    key             => {'algo': 'ecdsa', 'size': 256}\n+    owner           => kafka\n+    hosts           => []\n+    label           => kafka\n"}, {"resource": "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem].orig\n+++ Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]\n\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem | sha512sum)\"\n\n-    subscribe => ['Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11]', 'File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]', 'File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem]']\n-    require   => Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change]\n-    command   => /bin/cat /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem > /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem]\n\n+    owner     => kafka\n+    backup    => False\n+    show_diff => False\n+    group     => kafka\n+    mode      => 0440\n+    ensure    => file\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]\n\n+    owner  => kafka\n+    group  => kafka\n+    mode   => 0440\n+    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n+    ensure => file\n"}, {"resource": "Sslcert::X509_to_pkcs12[kafka_mirror_keystore]", "parameters": "--- Sslcert::X509_to_pkcs12[kafka_mirror_keystore].orig\n+++ Sslcert::X509_to_pkcs12[kafka_mirror_keystore]\n\n@@\n-    public_key  => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem\n+    public_key  => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem\n@@\n-    private_key => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem\n+    private_key => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr]\n\n-    ensure => file\n-    mode   => 0440\n-    owner  => kafka\n-    group  => kafka\n"}, {"resource": "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    subscribe   => File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]\n+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet\n\n+    refreshonly => True\n+    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]\n"}, {"resource": "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet].orig\n+++ Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet]\n\n+    environment => ['GODEBUG=x509ignoreCN=0']\n+    unless      => /usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem -checkend 2678400\n+    require     => Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet]\n+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka  /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet\n\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]\n\n+    owner  => kafka\n+    group  => root\n+    mode   => 0440\n+    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n+    ensure => file\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem]\n\n+    owner     => kafka\n+    backup    => False\n+    show_diff => False\n+    group     => root\n+    mode      => 0440\n+    ensure    => file\n"}, {"resource": "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change].orig\n+++ Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    subscribe   => File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11\n\n-    refreshonly => True\n-    require     => Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]\n"}, {"resource": "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "content": "--- /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr.orig\n+++ /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr\n@@ -1,17 +0,0 @@\n-{\n-  \"CN\": \"kafka-jumbo1010.eqiad.wmnet\",\n-  \"hosts\": [\n-    \"kafka-jumbo1010\",\n-    \"kafka-jumbo1010.eqiad.wmnet\",\n-    \"10.64.130.10\",\n-    \"2620:0:861:109:10:64:130:10\",\n-    \"kafka-jumbo-eqiad.external-services.svc.cluster.local\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr].orig\n+++ File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]\n\n-    ensure => file\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem]\n\n-    ensure  => file\n-    require => Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]\n-    owner   => kafka\n-    group   => kafka\n"}, {"resource": "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem].orig\n+++ Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]\n\n+    unless    => /usr/bin/test \"$(/bin/cat /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem | sha512sum)\"\n\n+    subscribe => ['Exec[renew certificate - kafka__kafka_mirror_maker]', 'File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]', 'File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem]']\n+    require   => Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change]\n+    command   => /bin/cat /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem > /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem\n"}, {"resource": "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem].orig\n+++ Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]\n\n-    unless    => /usr/bin/test \"$(/bin/cat /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem | sha512sum)\"\n\n-    subscribe => ['Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]', 'File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]', 'File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem]']\n-    require   => Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change]\n-    command   => /bin/cat /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem > /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr]\n\n+    ensure => file\n+    mode   => 0440\n+    owner  => kafka\n+    group  => kafka\n"}, {"resource": "File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "content": "--- /etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr.orig\n+++ /etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr\n@@ -1,13 +0,0 @@\n-{\n-  \"CN\": \"kafka_mirror_maker\",\n-  \"hosts\": [\n-    \"kafka_mirror_maker\"\n-  ],\n-  \"key\": {\n-    \"algo\": \"ecdsa\",\n-    \"size\": 256\n-  },\n-  \"names\": [\n-\n-  ]\n-}", "parameters": "--- File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr].orig\n+++ File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]\n\n-    ensure => file\n-    mode   => 0400\n-    owner  => root\n-    group  => root\n"}, {"resource": "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh]", "parameters": "--- Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh].orig\n+++ Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh]\n\n-    environment => ['GODEBUG=x509ignoreCN=0']\n-    refreshonly => True\n-    subscribe   => File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]\n-    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/kafka-jumbo1010.eqiad.wmnet.pem -label kafka -profile kafka_11 /etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr | /usr/bin/cfssljson -bare /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11\n\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]\n\n-    owner  => kafka\n-    group  => kafka\n-    mode   => 0440\n-    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n-    ensure => file\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem]\n\n-    owner     => kafka\n-    backup    => False\n-    show_diff => False\n-    group     => root\n-    mode      => 0440\n-    ensure    => file\n"}, {"resource": "Cfssl::Cert[kafka__kafka_mirror_maker_kafka_11]", "parameters": "--- Cfssl::Cert[kafka__kafka_mirror_maker_kafka_11].orig\n+++ Cfssl::Cert[kafka__kafka_mirror_maker_kafka_11]\n\n-    environment     => ['GODEBUG=x509ignoreCN=0']\n-    outdir          => /etc/kafka/mirror/ssl\n-    provide_chain   => True\n-    profile         => kafka_11\n-    notify          => Sslcert::X509_to_pkcs12[kafka_mirror_keystore]\n-    group           => kafka\n-    ensure          => present\n-    mode            => 0740\n-    notify_services => []\n-    renew_seconds   => 952200\n-    before_services => []\n-    names           => []\n-    auto_renew      => True\n-    common_name     => kafka_mirror_maker\n-    key             => {'algo': 'ecdsa', 'size': 256}\n-    owner           => kafka\n-    hosts           => []\n-    label           => kafka\n"}, {"resource": "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem]", "parameters": "--- File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem].orig\n+++ File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem]\n\n+    ensure  => file\n+    require => Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]\n+    owner   => kafka\n+    group   => kafka\n"}, {"resource": "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "parameters": "--- File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem].orig\n+++ File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]\n\n-    owner  => kafka\n-    group  => root\n-    mode   => 0440\n-    source => puppet:///modules/profile/pki/intermediates/kafka-cert.pem\n-    ensure => file\n"}], "perc_changed": "3.60%"}, "core": {"total": 2998, "only_in_self": ["Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11]", "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11]", "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem]"], "only_in_other": ["Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet]", "Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka_mirror_maker refresh]", "Exec[Generate cert kafka__kafka_mirror_maker]", "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet]", "Exec[renew certificate - kafka__kafka_mirror_maker]", "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem]"], "resource_diffs": [{"resource": "Exec[sslcert generate kafka_keystore.p12]", "parameters": "--- Exec[sslcert generate kafka_keystore.p12].orig\n+++ Exec[sslcert generate kafka_keystore.p12]\n\n@@\n-    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:qwerty' -in /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n+    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:qwerty' -in /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n@@\n-    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem -inkey /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem -out /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -password 'pass:qwerty'\n+    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem -inkey /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem -out /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -password 'pass:qwerty'\n"}, {"resource": "Exec[sslcert generate kafka_mirror_keystore.p12]", "parameters": "--- Exec[sslcert generate kafka_mirror_keystore.p12].orig\n+++ Exec[sslcert generate kafka_mirror_keystore.p12]\n\n@@\n-    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:' -in /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n+    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:' -in /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n@@\n-    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem -inkey /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem -out /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -password 'pass:'\n+    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem -inkey /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem -out /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -password 'pass:'\n"}], "perc_changed": "1.53%"}, "main": {"total": 2998, "only_in_self": ["Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Cfssl::Cert[kafka__kafka_mirror_maker_kafka_11]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11 refresh]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11 refresh]", "Exec[Generate cert kafka__kafka_mirror_maker_kafka_11]", "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11]", "Exec[renew certificate - kafka__kafka_mirror_maker_kafka_11]", "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "File[/etc/cfssl/csr/kafka__kafka_mirror_maker_kafka_11.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chain.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chain.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.csr]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.pem]"], "only_in_other": ["Cfssl::Cert[kafka__kafka-jumbo1010_eqiad_wmnet]", "Cfssl::Cert[kafka__kafka_mirror_maker]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet refresh]", "Exec[Generate cert kafka__kafka-jumbo1010_eqiad_wmnet]", "Exec[Generate cert kafka__kafka_mirror_maker refresh on intermediate ca change]", "Exec[Generate cert kafka__kafka_mirror_maker refresh]", "Exec[Generate cert kafka__kafka_mirror_maker]", "Exec[create chained cert /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "Exec[create chained cert /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "Exec[renew certificate - kafka__kafka-jumbo1010_eqiad_wmnet]", "Exec[renew certificate - kafka__kafka_mirror_maker]", "File[/etc/cfssl/csr/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/kafka__kafka_mirror_maker.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chain.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.csr]", "File[/etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chain.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.csr]", "File[/etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.pem]"], "resource_diffs": [{"resource": "Sslcert::X509_to_pkcs12[kafka_mirror_keystore]", "parameters": "--- Sslcert::X509_to_pkcs12[kafka_mirror_keystore].orig\n+++ Sslcert::X509_to_pkcs12[kafka_mirror_keystore]\n\n@@\n-    public_key  => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem\n+    public_key  => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem\n@@\n-    private_key => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem\n+    private_key => /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem\n"}, {"resource": "Exec[sslcert generate kafka_keystore.p12]", "parameters": "--- Exec[sslcert generate kafka_keystore.p12].orig\n+++ Exec[sslcert generate kafka_keystore.p12]\n\n@@\n-    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:qwerty' -in /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n+    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:qwerty' -in /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n@@\n-    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem -inkey /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem -out /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -password 'pass:qwerty'\n+    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem -inkey /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem -out /etc/kafka/ssl/kafka_jumbo-eqiad_broker.keystore.p12 -password 'pass:qwerty'\n"}, {"resource": "Sslcert::X509_to_pkcs12[kafka_keystore]", "parameters": "--- Sslcert::X509_to_pkcs12[kafka_keystore].orig\n+++ Sslcert::X509_to_pkcs12[kafka_keystore]\n\n@@\n-    public_key  => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11.chained.pem\n+    public_key  => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet.chained.pem\n@@\n-    private_key => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet_kafka_11-key.pem\n+    private_key => /etc/kafka/ssl/kafka__kafka-jumbo1010_eqiad_wmnet-key.pem\n"}, {"resource": "Exec[sslcert generate kafka_mirror_keystore.p12]", "parameters": "--- Exec[sslcert generate kafka_mirror_keystore.p12].orig\n+++ Exec[sslcert generate kafka_mirror_keystore.p12]\n\n@@\n-    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:' -in /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n+    unless  => /usr/bin/test     \"$(/usr/bin/openssl x509 -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem)\" ==     \"$(/usr/bin/openssl pkcs12 -password 'pass:' -in /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -clcerts -nokeys | openssl x509)\"\n@@\n-    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11.chained.pem -inkey /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker_kafka_11-key.pem -out /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -password 'pass:'\n+    command => /usr/bin/openssl pkcs12 -export  -in /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker.chained.pem -inkey /etc/kafka/mirror/ssl/kafka__kafka_mirror_maker-key.pem -out /etc/kafka/mirror/ssl/kafka_mirror_maker.keystore.p12 -password 'pass:'\n"}], "perc_changed": "1.87%"}}}