From 27bab79096584b50947f0d81d41ad2e143c1041e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Andr=C3=A9?= <m.andre@redhat.com>
Date: Mon, 10 Sep 2018 18:49:02 +0200
Subject: [PATCH] Download binaries more securely

Obtain binaries from encrypted source when we're unable to check for
their signatures. This should provide better security than downloading
the files over HTTP but does not replace signature verification or file
integrity check.

Related-Bug: #1791674
Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd
---
 docker/base/opendaylight.repo                       | 3 ++-
 docker/helm-repository/Dockerfile.j2                | 3 ++-
 docker/macros.j2                                    | 3 ++-
 docker/prometheus/prometheus-cadvisor/Dockerfile.j2 | 2 +-
 docker/rabbitmq/Dockerfile.j2                       | 4 ++--
 kolla/common/config.py                              | 4 +++-
 6 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/docker/base/opendaylight.repo b/docker/base/opendaylight.repo
index 8c0c299fd4..44c1eb26d5 100644
--- a/docker/base/opendaylight.repo
+++ b/docker/base/opendaylight.repo
@@ -1,5 +1,6 @@
 [opendaylight]
 name=CentOS CBS OpenDaylight Release Repository
-baseurl=http://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
+# opendaylight package is not signed, so download from HTTPS source at least
+baseurl=https://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
 enabled=1
 gpgcheck=0
diff --git a/docker/helm-repository/Dockerfile.j2 b/docker/helm-repository/Dockerfile.j2
index 45772bcbcf..1b1acbb891 100644
--- a/docker/helm-repository/Dockerfile.j2
+++ b/docker/helm-repository/Dockerfile.j2
@@ -55,7 +55,8 @@ ENV helm_arch={{ base_arch }}
 {% endif %}
 
 {% block helm_repository_install_kubernetes_helm %}
-RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz  http://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
+# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
+RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz  https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
     && sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
     && sudo chmod 755 /usr/bin/helm \
     && rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz
diff --git a/docker/macros.j2 b/docker/macros.j2
index d01709271a..aa9c097cbc 100644
--- a/docker/macros.j2
+++ b/docker/macros.j2
@@ -84,7 +84,8 @@ RUN apt-get update \
             && /bin/false
     {% endif %}
 
-    RUN curl -o /usr/bin/kubectl http://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
+    # TODO(mandre) check for file integrity instead of downloading from an HTTPS source
+    RUN curl -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
         && chmod 755 /usr/bin/kubectl
 {% endmacro %}
 
diff --git a/docker/prometheus/prometheus-cadvisor/Dockerfile.j2 b/docker/prometheus/prometheus-cadvisor/Dockerfile.j2
index c4b1886619..427961f469 100644
--- a/docker/prometheus/prometheus-cadvisor/Dockerfile.j2
+++ b/docker/prometheus/prometheus-cadvisor/Dockerfile.j2
@@ -22,7 +22,7 @@ RUN curl -ssL -o /opt/cadvisor https://github.com/google/cadvisor/releases/downl
         {% set cadvisor_packages = [
              'libjs-bootstrap',
              'libjs-jquery',
-             'http://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
+             'https://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
         ] %}
 
 {{ macros.install_packages(cadvisor_packages | customizable("packages")) }}
diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2
index 6c9f3a816e..b737941b63 100644
--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@@ -27,7 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
          ] %}
     {% else %}
          {% set rabbitmq_packages = rabbitmq_packages + [
-             'http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
+             'https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
          ] %}
     {% endif %}
 
@@ -52,7 +52,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 RUN rm -rf /var/lib/rabbitmq/* \
     && ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \
-    && curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
+    && curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez https://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
     && /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
        rabbitmq_management \
        rabbitmq_clusterer
diff --git a/kolla/common/config.py b/kolla/common/config.py
index a6bdbc08b1..18cfe9e3d4 100755
--- a/kolla/common/config.py
+++ b/kolla/common/config.py
@@ -43,7 +43,9 @@ DELOREAN_DEPS = "https://trunk.rdoproject.org/centos7/delorean-deps.repo"
 
 INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos']
 
-TARBALLS_BASE = "http://tarballs.openstack.org"
+# TODO(mandre) check for file integrity instead of downloading from an HTTPS
+# source
+TARBALLS_BASE = "https://tarballs.openstack.org"
 
 _PROFILE_OPTS = [
     cfg.ListOpt('infra',