Use https to retrieve upper-constraints

For consistency with independent roles' testing and increased security,
use https to retrieve the upper-constraints.txt file when the Python
version available has native support for SNI.

Change-Id: I60dd9955a223ded35259f91742071e4f0575c303

playbooks/common-tasks/set-upper-constraints.yml

@@ -37,9 +37,15 @@
     dest: "/opt/global-requirement-pins.txt"
   when: (upper_constraints_check.status | default(503)) != 200
 
+# Use https when Python with native SNI support is available
+- name: Set pip install upper constraints protocol
+  set_fact:
+    pip_install_upper_constraints_proto: "{{ ansible_python_version | version_compare('2.7.9', '>=') | ternary('https','http') }}"
+  when: (upper_constraints_check.status | default(503)) != 200
+
 - name: Set pip install upper constraints
   set_fact:
     pip_install_upper_constraints: >-
       /opt/global-requirement-pins.txt
-      --constraint http://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id={{ requirements_git_install_branch | regex_replace(' #.*$','') }}
+      --constraint {{ pip_install_upper_constraints_proto }}://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id={{ requirements_git_install_branch | regex_replace(' #.*$','') }}
   when: (upper_constraints_check.status | default(503)) != 200

scripts/bootstrap-ansible.sh

@@ -26,8 +26,12 @@ export ANSIBLE_PACKAGE=${ANSIBLE_PACKAGE:-"git+https://github.com/ansible/ansibl
 export ANSIBLE_ROLE_FILE=${ANSIBLE_ROLE_FILE:-"ansible-role-requirements.yml"}
 export SSH_DIR=${SSH_DIR:-"/root/.ssh"}
 export DEBIAN_FRONTEND=${DEBIAN_FRONTEND:-"noninteractive"}
+PYTHON_EXEC_PATH="$(which python2 || which python)"
+PYTHON_VERSION="$($PYTHON_EXEC_PATH -c 'import sys; print(".".join(map(str, sys.version_info[:3])))')"
+# Use https when Python with native SNI support is available
+UPPER_CONSTRAINTS_PROTO=$([ "$PYTHON_VERSION" == $(echo -e "$PYTHON_VERSION\n2.7.9" | sort -V | tail -1) ] && echo "https" || echo "http")
 # Set the location of the constraints to use for all pip installations
-export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE:-"http://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id=$(awk '/requirements_git_install_branch:/ {print $2}' playbooks/defaults/repo_packages/openstack_services.yml)"}
+export UPPER_CONSTRAINTS_FILE=${UPPER_CONSTRAINTS_FILE:-"$UPPER_CONSTRAINTS_PROTO://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt?id=$(awk '/requirements_git_install_branch:/ {print $2}' playbooks/defaults/repo_packages/openstack_services.yml)"}
 # Set the role fetch mode to any option [galaxy, git-clone]
 export ANSIBLE_ROLE_FETCH_MODE=${ANSIBLE_ROLE_FETCH_MODE:-galaxy}
 # virtualenv vars
@@ -95,7 +99,6 @@ elif [ -n "$HTTP_PROXY" ]; then
 fi
 
 # Create a Virtualenv for the Ansible runtime
-PYTHON_EXEC_PATH="$(which python2 || which python)"
 virtualenv --clear ${VIRTUALENV_OPTIONS} --system-site-packages --python="${PYTHON_EXEC_PATH}" /opt/ansible-runtime
 
 # The vars used to prepare the Ansible runtime venv