[CI] Trust only infra mirrors

Infra mirrors get their indices rebuilt to avoid broken
indices (due to partial update).
Unfortunately, this wipes out the cryptographic signatures.
Our approach so far was disabling apt security features globally.
However, this is not a valid choice for external repos.
It hid an issue we introduced with new RabbitMQ repos missing
proper keys installed in the image.
This caused permanent failures outside of our CI.

Our process should be as close as possible to users' experience.
This patch makes CI trust only the mirrors that have their indices
rebuilt (so infra mirrors).

Change-Id: Ic5abc4b87fd76f87aba383abf43e95ba70629fcb
(cherry picked from commit c364c8be85)

tests/templates/template_overrides.j2

@@ -13,15 +13,6 @@ RUN echo registry={{ nodepool_npmjs_proxy }} > /etc/npmrc \
     && ln -s /etc/npmrc /usr/etc/npmrc
 
 {% raw %}
-{% if base_distro in ['debian', 'ubuntu'] %}
-{% endraw %}
-
-# NOTE(hrw): Debian 'buster' and Ubuntu 18.04 refuse to use unsigned repos
-RUN echo 'APT::Get::AllowUnauthenticated "true";' > /etc/apt/apt.conf.d/99allow-unauthenticated \
- && echo 'Acquire::AllowInsecureRepositories "true";' > /etc/apt/apt.conf.d/99allow-insecure-repos
-
-{% raw %}
-{% endif %}
 {% endblock %}
 
 {% block base_centos_repo_overrides_post_copy %}
@@ -64,17 +55,17 @@ RUN sed -i \
 {% if base_distro == "debian" %}
 {% endraw %}
 
-RUN sed -i -e "s|http://deb.debian.org|http://{{ nodepool_mirror_host }}|" \
-        -e "s|http://security.debian.org|http://{{ nodepool_mirror_host }}|" \
+RUN sed -i -e "s|http://deb.debian.org|[trusted=yes] http://{{ nodepool_mirror_host }}|" \
+        -e "s|http://security.debian.org|[trusted=yes] http://{{ nodepool_mirror_host }}|" \
         /etc/apt/sources.list
 
 {% raw %}
 {% elif base_distro == "ubuntu" %}
 {% endraw %}
 
-RUN sed -i -e "s|mirror://mirrors.ubuntu.com/mirrors.txt|http://{{ nodepool_mirror_host }}/ubuntu/|" \
-        -e "s|http://ubuntu-cloud.archive.canonical.com/ubuntu|http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|" \
-        -e "s|http://ports.ubuntu.com|http://{{ nodepool_mirror_host }}/ubuntu-ports|" \
+RUN sed -i -e "s|mirror://mirrors.ubuntu.com/mirrors.txt|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu/|" \
+        -e "s|http://ubuntu-cloud.archive.canonical.com/ubuntu|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|" \
+        -e "s|http://ports.ubuntu.com|[trusted=yes] http://{{ nodepool_mirror_host }}/ubuntu-ports|" \
         /etc/apt/sources.list
 
 {% raw %}
@@ -110,20 +101,17 @@ RUN sed -i \
         /etc/yum.repos.d/epel*.repo
 {% raw %}
 {% elif base_package_type == 'deb' %}
-{% endraw %}
-RUN rm -f /etc/apt/apt.conf.d/99allow-unauthenticated /etc/apt/apt.conf.d/99allow-insecure-repos
-{% raw %}
 {% if base_distro == "debian" %}
 {% endraw %}
-RUN sed -i -e "s|http://{{ nodepool_mirror_host }}|http://deb.debian.org|" \
-        -e "s|http://{{ nodepool_mirror_host }}|http://security.debian.org|" \
+RUN sed -i -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}|http://deb.debian.org|" \
+        -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}|http://security.debian.org|" \
         /etc/apt/sources.list
 {% raw %}
 {% elif base_distro == "ubuntu" %}
 {% endraw %}
-RUN sed -i -e "s|http://{{ nodepool_mirror_host }}/ubuntu/|mirror://mirrors.ubuntu.com/mirrors.txt|" \
-        -e "s|http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|http://ubuntu-cloud.archive.canonical.com/ubuntu|" \
-        -e "s|http://{{ nodepool_mirror_host }}/ubuntu-ports|http://ports.ubuntu.com|" \
+RUN sed -i -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu/|mirror://mirrors.ubuntu.com/mirrors.txt|" \
+        -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu-cloud-archive|http://ubuntu-cloud.archive.canonical.com/ubuntu|" \
+        -e "s|\[trusted=yes\] http://{{ nodepool_mirror_host }}/ubuntu-ports|http://ports.ubuntu.com|" \
         /etc/apt/sources.list
 {% raw %}
 {% endif %}