Compilation results for alert1002.wikimedia.org: System changes detected

Catalog differences

Summary

Resources only in the old catalog

• Monitoring::Service[https-requestctl.wikimedia.org-expiry]
• Profile::Idp::Client::Httpd::Site[requestctl.wikimedia.org]
• Nagios_service[alert1002 https-requestctl.wikimedia.org-expiry]
• Nagios_service[alert1002 https-requestctl.wikimedia.org-unauthorized]
• Monitoring::Service[https-requestctl.wikimedia.org-unauthorized]
• File[/var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/]

Resources modified

• Httpd::Conf[requestctl.wikimedia.org]

• Httpd::Site[requestctl.wikimedia.org]

  Parameters differences:

  --- Httpd::Site[requestctl.wikimedia.org].orig
  +++ Httpd::Site[requestctl.wikimedia.org]
  
  +    require => ['Acme_chief::Cert[icinga]']
  

• File[/etc/default/hiddenparma]

  Content differences:

  --- /etc/default/hiddenparma.orig
  +++ /etc/default/hiddenparma
  @@ -5,6 +5,12 @@
   CSRF_SHARED_SECRET="snakeoil"
   DATACENTERS="eqiad,codfw,esams,ulsfo,eqsin,drmrs,magru"
   DBSTORE_DSN="mariadb+pymysql://lolo:placeholder@m2-master.eqiad.wmnet/requestctl?charset=utf8mb4"
  +WEB_AUTH_BACKEND="native_cas"
   API_AUTH_BACKEND="api_token_from_db"
   API_ROOT_TOKEN="t00r"
   API_TOKEN_ENCRYPTION_KEY="snakeoil"
  +# Native CAS configuration
  +CAS_SERVER_URL="'https://idp.wikimedia.org/login'"
  +CAS_SERVICE_URL="https://requestctl.wikimedia.org/cas/callback"
  +SESSION_SECRET_KEY="a secret"
  +AUTHORIZED_GROUPS="cn=ops,ou=groups,dc=wikimedia,dc=org:cn=wmf,ou=groups,dc=wikimedia,dc=org"

• Class[Profile::Conftool::Hiddenparma]

  Parameters differences:

  --- Class[Profile::Conftool::Hiddenparma].orig
  +++ Class[Profile::Conftool::Hiddenparma]
  
  +    session_secret_key => a secret
  

• File[/etc/apache2/sites-available/50-requestctl-wikimedia-org.conf]

  Content differences:

  --- /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf.orig
  +++ /etc/apache2/sites-available/50-requestctl-wikimedia-org.conf
  @@ -22,54 +22,18 @@
       SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
       Header always set Strict-Transport-Security "max-age=106384710; includeSubDomains; preload"
   
  -    CASLoginURL https://idp.wikimedia.org/login
  -    CASValidateURL https://idp.wikimedia.org/serviceValidate
  -    CASDebug Off
  -    CASVersion 2
  -    CASCertificatePath /etc/ssl/certs
  -    CASCookiePath /var/cache/apache2/mod_auth_cas/requestctl.wikimedia.org/
  -    CASAttributePrefix X-CAS-
  -    CASAttributeDelimiter :
  -    CASValidateSAML Off
  -    CASSSOEnabled On
  -    CASCookieSameSite Lax
  -    CASCookieSecure On
  -    CASTimeout 7200
  -    CASIdleTimeout 3600
  -    <Directory />
  -        AllowOverride None
  -        Require all granted
  -    </Directory>
  -
       <Location />
  -          AuthType CAS
  -          CASAuthNHeader CAS-User
  -          CASScope /
  -          Require cas-attribute memberOf:cn=ops,ou=groups,dc=wikimedia,dc=org
  -          Require cas-attribute memberOf:cn=wmf,ou=groups,dc=wikimedia,dc=org
           ProxyPass http://localhost:8080/
           ProxyPassReverse http://localhost:8080/
       </Location>
   
       <Location /health_check>
  -        Require all granted
           Alias /var/www/health_check
           ProxyPass !
       </Location>
   
  -    <Location /api>
  -        Require all granted
  -        ProxyPass http://localhost:8080/api
  -        ProxyPassReverse http://localhost:8080/api
  -    </Location>
  -
       # Static files
       Alias "/static" "/srv/deployment/hiddenparma/deploy/src/static"
  -    # Static assets are not protected by the CAS auth
  -    <Directory /srv/deployment/hiddenparma/deploy/src/static">
  -        AllowOverride None
  -        Require all granted
  -    </Directory>
   
   
       CustomLog /var/log/apache2/requestctl.wikimedia.org-access.log wmf

Relevant files

• Production catalog
• Change catalog
• Production errors/warnings
• Change errors/warnings
• Core Diff
• Full Diff