{"host": "ms-fe2018.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3413, "only_in_self": [], "only_in_other": ["Envoyproxy::Cluster[cluster_ratelimit]", "Envoyproxy::Conf[cluster_ratelimit]", "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]"], "resource_diffs": [{"resource": "Envoyproxy::Cluster[cluster_ratelimit]", "parameters": "--- Envoyproxy::Cluster[cluster_ratelimit].orig\n+++ Envoyproxy::Cluster[cluster_ratelimit]\n\n+ priority => 1\n"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n@@\n- rate_limit_enabled => False\n+ rate_limit_enabled => True\n"}, {"resource": "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]", "content": "--- /etc/envoy/clusters.d/01-cluster_ratelimit.yaml.orig\n+++ /etc/envoy/clusters.d/01-cluster_ratelimit.yaml\n@@ -0,0 +1,27 @@\n+name: ratelimit\n+type: STRICT_DNS\n+connect_timeout: 0.25s\n+lb_policy: ROUND_ROBIN\n+typed_extension_protocol_options:\n+ envoy.extensions.upstreams.http.v3.HttpProtocolOptions:\n+ \"@type\": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\n+ explicit_http_config:\n+ http2_protocol_options: {}\n+load_assignment:\n+ cluster_name: ratelimit\n+ endpoints:\n+ - lb_endpoints:\n+ - endpoint:\n+ address:\n+ socket_address:\n+ address: ratelimit-media.svc.codfw.wmnet.\n+ port_value: 30443\n+transport_socket:\n+ name: envoy.transport_sockets.tls\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext\n+ sni: ratelimit-media.svc.codfw.wmnet\n+ common_tls_context:\n+ validation_context:\n+ trusted_ca:\n+ filename: /etc/ssl/certs/ca-certificates.crt", "parameters": "--- File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml].orig\n+++ File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]\n\n+ group => root\n+ owner => root\n+ ensure => present\n+ mode => 0444\n+ notify => Exec[verify-envoy-config]\n"}, {"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n@@\n- rate_limit_enabled => False\n+ rate_limit_enabled => True\n"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,7 +41,41 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n http_filters:\n+ - name: envoy.filters.http.ratelimit.resp\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit\n+ domain: upload\n+ request_type: both\n+ stage: 0\n+ failure_mode_deny: false # return 200 if rate limit service is unavailable\n+ enable_x_ratelimit_headers: DRAFT_VERSION_03\n+ rate_limit_service:\n+ transport_api_version: V3\n+ grpc_service:\n+ envoy_grpc:\n+ cluster_name: ratelimit\n+ authority: ratelimit-media.svc.codfw.wmnet # Set HTTP/2 authority, SNI from the cluster is not enough\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}, {"resource": "Envoyproxy::Conf[cluster_ratelimit]", "parameters": "--- Envoyproxy::Conf[cluster_ratelimit].orig\n+++ Envoyproxy::Conf[cluster_ratelimit]\n\n+ conf_type => cluster\n+ priority => 1\n"}], "perc_changed": "0.32%"}, "core": {"total": 3413, "only_in_self": [], "only_in_other": ["File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]"], "resource_diffs": [{"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,7 +41,41 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n http_filters:\n+ - name: envoy.filters.http.ratelimit.resp\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit\n+ domain: upload\n+ request_type: both\n+ stage: 0\n+ failure_mode_deny: false # return 200 if rate limit service is unavailable\n+ enable_x_ratelimit_headers: DRAFT_VERSION_03\n+ rate_limit_service:\n+ transport_api_version: V3\n+ grpc_service:\n+ envoy_grpc:\n+ cluster_name: ratelimit\n+ authority: ratelimit-media.svc.codfw.wmnet # Set HTTP/2 authority, SNI from the cluster is not enough\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}], "perc_changed": "0.06%"}, "main": {"total": 3413, "only_in_self": [], "only_in_other": ["Envoyproxy::Cluster[cluster_ratelimit]", "Envoyproxy::Conf[cluster_ratelimit]", "File[/etc/envoy/clusters.d/01-cluster_ratelimit.yaml]"], "resource_diffs": [{"resource": "Envoyproxy::Tls_terminator[443]", "parameters": "--- Envoyproxy::Tls_terminator[443].orig\n+++ Envoyproxy::Tls_terminator[443]\n\n@@\n- rate_limit_enabled => False\n+ rate_limit_enabled => True\n"}, {"resource": "Envoyproxy::Conf[tls_terminator_443]"}, {"resource": "File[/etc/envoy/listeners.d/00-tls_terminator_443.yaml]", "content": "--- /etc/envoy/listeners.d/00-tls_terminator_443.yaml.orig\n+++ /etc/envoy/listeners.d/00-tls_terminator_443.yaml\n@@ -41,7 +41,41 @@\n retry_policy:\n num_retries: 1\n retry_on: \"5xx\"\n+ typed_per_filter_config:\n+ envoy.filters.http.ratelimit.resp:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute\n+ rate_limits:\n+ - hits_addend:\n+ format: \"%BYTES_SENT%\"\n+ apply_on_stream_done: true\n+ # NOTE: If one of the headers referenced below is not set, the rate limit is not applied.\n+ actions:\n+ # Hardcode the policy and user class for now\n+ - generic_key:\n+ descriptor_key: policy\n+ descriptor_value: thumbnails\n+ - generic_key:\n+ descriptor_key: user_class\n+ descriptor_value: anon\n+ # Provide the user's identity (x-client-ip is set at the edge) as the counter key\n+ - request_headers:\n+ descriptor_key: user_id\n+ header_name: x-client-ip\n http_filters:\n+ - name: envoy.filters.http.ratelimit.resp\n+ typed_config:\n+ \"@type\": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit\n+ domain: upload\n+ request_type: both\n+ stage: 0\n+ failure_mode_deny: false # return 200 if rate limit service is unavailable\n+ enable_x_ratelimit_headers: DRAFT_VERSION_03\n+ rate_limit_service:\n+ transport_api_version: V3\n+ grpc_service:\n+ envoy_grpc:\n+ cluster_name: ratelimit\n+ authority: ratelimit-media.svc.codfw.wmnet # Set HTTP/2 authority, SNI from the cluster is not enough\n - name: envoy.filters.http.router\n typed_config:\n \"@type\": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}, {"resource": "Envoyproxy::Listener[tls_terminator_443]"}, {"resource": "Class[Profile::Tlsproxy::Envoy]", "parameters": "--- Class[Profile::Tlsproxy::Envoy].orig\n+++ Class[Profile::Tlsproxy::Envoy]\n\n@@\n- rate_limit_enabled => False\n+ rate_limit_enabled => True\n"}], "perc_changed": "0.23%"}}}