Change external resources to https where possible

This change updates all of the external URLs to use HTTPS where possible. the change will create a more secure deployment by default. Change-Id: I4d53c021904208bffb0d597c7ae53bbd00f40209 Closes-Bug: 1411331
2015-05-25 08:12:30 -07:00 · 2015-05-25 08:12:30 -07:00 · e6383147bf
parent 66d8d6ee96
commit e6383147bf
9 changed files with 31 additions and 27 deletions
--- a/playbooks/inventory/group_vars/all.yml
+++ b/playbooks/inventory/group_vars/all.yml
@ -18,13 +18,6 @@ debug: False
 verbose: True


-## Repo server
-repo_service_user_name: nginx
-repo_service_home_folder: /var/www
-repo_server_port: 8181
-repo_pip_default_index: "http://{{ openstack_upstream_domain }}/pools"
-
-
 ## Rsyslog server
 rsyslog_server_spool_directory: /var/spool/rsyslog
 rsyslog_server_storage_directory: /var/log/log-storage
@ -34,20 +27,28 @@ rsyslog_server_storage_directory: /var/log/log-storage
 openstack_release: master
 # URL for the frozen internal openstack repo.
 openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
+openstack_upstream_proto: "https"
 openstack_upstream_domain: "rpc-repo.rackspace.com"
-openstack_upstream_url: "http://{{ openstack_upstream_domain }}"
+openstack_upstream_url: "{{ openstack_upstream_proto }}://{{ openstack_upstream_domain }}"
 # Global minimum kernel requirement
 openstack_host_required_kernel: 3.13.0-34-generic


+## Repo server
+repo_service_user_name: nginx
+repo_service_home_folder: /var/www
+repo_server_port: 8181
+repo_pip_default_index: "{{ openstack_upstream_url }}/pools"
+
+
 ## LXC options
 lxc_container_caches:
  - url: "{{ openstack_upstream_url }}/container_images/rpc-trusty-container.tgz"
    name: "trusty.tgz"

 # In container APT repository settings
-lxc_container_template_main_apt_repo: "http://mirror.rackspace.com/ubuntu"
-lxc_container_template_security_apt_repo: "http://mirror.rackspace.com/ubuntu"
+lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu"
+lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu"


 ## RabbitMQ
--- a/playbooks/roles/galera_client/defaults/main.yml
+++ b/playbooks/roles/galera_client/defaults/main.yml
@ -25,7 +25,7 @@ galera_client_gpg_keys:
    hash_id: '0xcbcb082a1bb943db'

 # Repositories
-galera_client_apt_repo_url: "http://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
+galera_client_apt_repo_url: "https://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
 galera_client_apt_repo:
  repo: "deb {{ galera_client_apt_repo_url }} {{ ansible_distribution_release }} main"
  state: "present"
--- a/playbooks/roles/galera_server/defaults/main.yml
+++ b/playbooks/roles/galera_server/defaults/main.yml
@ -52,7 +52,7 @@ galera_gpg_keys:
    hash_id: '0xcbcb082a1bb943db'

 # Repositories
-galera_apt_repo_url: "http://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
+galera_apt_repo_url: "https://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
 galera_apt_repo:
  repo: "deb {{ galera_apt_repo_url }} {{ ansible_distribution_release }} main"
  state: "present"
--- a/playbooks/roles/lxc_container_create/defaults/main.yml
+++ b/playbooks/roles/lxc_container_create/defaults/main.yml
@ -36,8 +36,8 @@ lxc_container_template_options: >
  --user {{ lxc_container_user_name }}
  --password {{ lxc_container_user_password }}

-lxc_container_template_main_apt_repo: "http://archive.ubuntu.com/ubuntu"
-lxc_container_template_security_apt_repo: "http://security.ubuntu.com/ubuntu"
+lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu"
+lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu"

 lxc_container_default_interfaces: |
  # The loopback network interface
--- a/playbooks/roles/lxc_hosts/defaults/main.yml
+++ b/playbooks/roles/lxc_hosts/defaults/main.yml
@ -40,8 +40,8 @@ lxc_kernel_options:
  - { key: 'fs.inotify.max_user_instances', value: 1024 }
  - { key: 'vm.swappiness', value: 10 }

-lxc_container_template_main_apt_repo: "http://archive.ubuntu.com/ubuntu"
-lxc_container_template_security_apt_repo: "http://security.ubuntu.com/ubuntu"
+lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu"
+lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu"


 # Required apt packages.
--- a/playbooks/roles/rabbitmq_server/defaults/main.yml
+++ b/playbooks/roles/rabbitmq_server/defaults/main.yml
@ -18,7 +18,7 @@ is_metal: true

 rabbitmq_primary_cluster_node: "{{ groups['rabbitmq_all'][0] }}"

-rabbitmq_package_url: http://www.rabbitmq.com/releases/rabbitmq-server/v3.5.1/rabbitmq-server_3.5.1-1_all.deb
+rabbitmq_package_url: https://www.rabbitmq.com/releases/rabbitmq-server/v3.5.1/rabbitmq-server_3.5.1-1_all.deb
 rabbitmq_package_sha256: "e514012a210b4ed5b77d726329ce027c50e8629c396bcde451ac16aaff07d047"
 rabbitmq_package_path: "/opt/rabbitmq-server.deb"

--- a/playbooks/roles/repo_server/files/openstack-wheel-builder.py
+++ b/playbooks/roles/repo_server/files/openstack-wheel-builder.py
@ -345,7 +345,7 @@ def main():
                '--pip-extra-link-dirs',
                _abs_path(user_vars['link_pool']),
                '--pip-index',
-                'http://rpc-repo.rackspace.com/pools',
+                'https://rpc-repo.rackspace.com/pools',
                '--pip-extra-index',
                'https://pypi.python.org/simple',
                '--pip-bulk-operation',
--- a/scripts/bootstrap-aio.sh
+++ b/scripts/bootstrap-aio.sh
@ -42,8 +42,8 @@ export TEMPEST_FATAL_DEPRECATIONS=${TEMPEST_FATAL_DEPRECATIONS:-"no"}

 # Ubuntu repos
 UBUNTU_RELEASE=$(lsb_release -sc)
-UBUNTU_REPO=${UBUNTU_REPO:-"http://mirror.rackspace.com/ubuntu"}
-UBUNTU_SEC_REPO=${UBUNTU_SEC_REPO:-"http://mirror.rackspace.com/ubuntu"}
+UBUNTU_REPO=${UBUNTU_REPO:-"https://mirror.rackspace.com/ubuntu"}
+UBUNTU_SEC_REPO=${UBUNTU_SEC_REPO:-"https://mirror.rackspace.com/ubuntu"}


 ## Library Check -------------------------------------------------------------
@ -91,6 +91,9 @@ if [ ! "$(grep -e '^nameserver 8.8.8.8' -e '^nameserver 8.8.4.4' /etc/resolv.con
  echo -e '\n# Adding google name servers\nnameserver 8.8.8.8\nnameserver 8.8.4.4' | tee -a /etc/resolv.conf
 fi

+# Ensure that the https apt transport is available before doing anything else
+apt-get update && apt-get install -y apt-transport-https
+
 # Set the host repositories to only use the same ones, always, for the sake of consistency.
 cat > /etc/apt/sources.list <<EOF
 # Normal repositories
@ -115,19 +118,19 @@ apt-get update
 apt-get purge -y libmysqlclient18 mysql-common

 # Install required packages
-apt-get install -y python-dev \
-                   python2.7 \
+apt-get install -y bridge-utils \
                   build-essential \
                   curl \
                   git-core \
                   ipython \
+                   linux-image-extra-$(uname -r) \
+                   lvm2 \
+                   python2.7 \
+                   python-dev \
                   tmux \
                   vim \
                   vlan \
-                   bridge-utils \
-                   lvm2 \
-                   xfsprogs \
-                   linux-image-extra-$(uname -r)
+                   xfsprogs

 # Flush all the iptables rules set by openstack-infra
 if [ "${FLUSH_IPTABLES}" == "yes" ]; then
--- a/scripts/osad-aio-heat-template.yml
+++ b/scripts/osad-aio-heat-template.yml
@ -34,7 +34,7 @@ parameters:
    description: The aio script installation URL
  frozen_repo_url:
    type: string
-    default: http://rpc-repo.rackspace.com
+    default: https://rpc-repo.rackspace.com
    description: URL to the frozen
  repo_url:
    type: string