While attempting to deploy some minor changes for security.wikimedia.org (T372570) I came across some unexpected helmfile changes on `deploy1003`. It looks like an envoy image was attempting be changed for TLS proxying? I'm not sure if it's safe or advisable to deploy these to these production miscweb sites. Here is the `helmfile -e codfw diff --context 5` output:
```lang=plaintext
helmfile.yaml: basePath=.
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-bugzilla-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-design-landing-page-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-research-landing-page-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-design-strategy-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-statictendril-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-wikiworkshop-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-annualreport-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-static-codereview-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-bienvenida-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-design-style-guide-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-design-blog-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-transparencyreport-codfw.yaml"
skipping missing values file matching "/etc/helmfile-defaults/private/main_services/miscweb/codfw.yaml"
skipping missing values file matching "values-codfw.yaml"
skipping missing values file matching "values-security-landing-page-codfw.yaml"
Comparing release=design-landing-page, chart=wmf-stable/miscweb
Comparing release=bugzilla, chart=wmf-stable/miscweb
Comparing release=research-landing-page, chart=wmf-stable/miscweb
Comparing release=design-strategy, chart=wmf-stable/miscweb
Comparing release=annualreport, chart=wmf-stable/miscweb
Comparing release=statictendril, chart=wmf-stable/miscweb
Comparing release=design-blog, chart=wmf-stable/miscweb
Comparing release=wikiworkshop, chart=wmf-stable/miscweb
Comparing release=design-style-guide, chart=wmf-stable/miscweb
Comparing release=transparencyreport, chart=wmf-stable/miscweb
Comparing release=security-landing-page, chart=wmf-stable/miscweb
Comparing release=bienvenida, chart=wmf-stable/miscweb
Comparing release=static-codereview, chart=wmf-stable/miscweb
miscweb, miscweb-design-blog, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-design-blog-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: design-blog
- name: SERVICE_ZONE
...
miscweb, miscweb-design-landing-page, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-design-landing-page-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: design-landing-page
- name: SERVICE_ZONE
...
miscweb, miscweb-static-codereview, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-static-codereview-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: static-codereview
- name: SERVICE_ZONE
...
miscweb, miscweb-security-landing-page, Deployment (apps) has changed:
...
envoyproxy.io/port: "9361"
spec:
containers:
# The main application container
- name: miscweb-security-landing-page
- image: "docker-registry.discovery.wmnet/repos/sre/miscweb/security-landing-page:2024-06-17-163318"
+ image: "docker-registry.discovery.wmnet/repos/sre/miscweb/security-landing-page:2024-08-16-095955"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
livenessProbe:
tcpSocket:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-security-landing-page-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: security-landing-page
- name: SERVICE_ZONE
...
miscweb, miscweb-design-style-guide, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-design-style-guide-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: design-style-guide
- name: SERVICE_ZONE
...
miscweb, miscweb-statictendril, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-statictendril-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: statictendril
- name: SERVICE_ZONE
...
miscweb, miscweb-annualreport, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-annualreport-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: annualreport
- name: SERVICE_ZONE
...
miscweb, miscweb-transparencyreport, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-transparencyreport-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: transparencyreport
- name: SERVICE_ZONE
...
miscweb, miscweb-bugzilla, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-bugzilla-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: bugzilla
- name: SERVICE_ZONE
...
miscweb, miscweb-bienvenida, Deployment (apps) has changed:
...
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- name: miscweb-bienvenida-tls-proxy
- image: docker-registry.discovery.wmnet/envoy:1.23.10-2-s4-20231203
+ image: docker-registry.discovery.wmnet/envoy:1.23.10-3
imagePullPolicy: IfNotPresent
env:
- name: SERVICE_NAME
value: bienvenida
- name: SERVICE_ZONE
...
helmfile.yaml: basePath=.
```