From 9471b8c42b9707d5de05556a91fa2b934eb1eb77 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 19 May 2020 14:57:14 -0700 Subject: [PATCH] Add option to prefer https/ssl in configure-mirrors We should offer the option of https in addition to http in our configure-mirrors role as users may want to consume mirrors using https. This has become more viable in recent years with the releases of Debian Buster and Ubuntu Bionic supporting it out of the box. Change-Id: I747c1a379dfce9469e643d7fa199c8e8554f5289 --- roles/configure-mirrors/README.rst | 7 +++++ roles/configure-mirrors/defaults/main.yaml | 13 ++++++--- roles/configure-mirrors/vars/CentOS.yaml | 4 +-- roles/configure-mirrors/vars/Debian.yaml | 4 +-- roles/configure-mirrors/vars/Fedora.yaml | 2 +- roles/configure-mirrors/vars/Suse.yaml | 4 +-- .../vars/Ubuntu.aarch64.yaml | 2 +- roles/configure-mirrors/vars/Ubuntu.yaml | 2 +- .../base-roles/configure-mirrors.yaml | 27 +++++++++++++++++-- 9 files changed, 51 insertions(+), 14 deletions(-) diff --git a/roles/configure-mirrors/README.rst b/roles/configure-mirrors/README.rst index d7d6570d0..8152ce499 100644 --- a/roles/configure-mirrors/README.rst +++ b/roles/configure-mirrors/README.rst @@ -7,6 +7,13 @@ An ansible role to configure services to use mirrors. The base host for mirror servers. +.. zuul:rolevar:: mirror_use_ssl + :default: False + + Use ssl to communicate to mirror endpoints. Note if the platform + cannot use ssl (for example Ubuntu Xenial apt needs additional packages) + this will still use http instead of https when set for that platform. + .. zuul:rolevar:: pypi_fqdn :default: {{ mirror_fqdn }} diff --git a/roles/configure-mirrors/defaults/main.yaml b/roles/configure-mirrors/defaults/main.yaml index 4a07e2c90..7cd665bb7 100644 --- a/roles/configure-mirrors/defaults/main.yaml +++ b/roles/configure-mirrors/defaults/main.yaml @@ -1,5 +1,12 @@ +set_apt_mirrors_trusted: False mirror_fqdn: "{{ zuul_site_mirror_fqdn|default(omit) }}" pypi_fqdn: "{{ mirror_fqdn }}" -pypi_mirror: "http://{{ pypi_fqdn }}/pypi/simple" -set_apt_mirrors_trusted: False -wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}" +mirror_use_ssl: False +http_or_https: >- + {%- if mirror_use_ssl and ansible_distribution_release not in ['xenial', 'stretch'] -%} + https + {%- else -%} + http + {%- endif -%} +pypi_mirror: "{{ http_or_https }}://{{ pypi_fqdn }}/pypi/simple" +wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}" diff --git a/roles/configure-mirrors/vars/CentOS.yaml b/roles/configure-mirrors/vars/CentOS.yaml index 79ea83ed0..7821347ea 100644 --- a/roles/configure-mirrors/vars/CentOS.yaml +++ b/roles/configure-mirrors/vars/CentOS.yaml @@ -1,2 +1,2 @@ -package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" -epel_mirror: "http://{{ mirror_fqdn }}/epel" +package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" +epel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/epel" diff --git a/roles/configure-mirrors/vars/Debian.yaml b/roles/configure-mirrors/vars/Debian.yaml index 37406c126..8b24e3331 100644 --- a/roles/configure-mirrors/vars/Debian.yaml +++ b/roles/configure-mirrors/vars/Debian.yaml @@ -1,2 +1,2 @@ -package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" -security_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security" +package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" +security_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security" diff --git a/roles/configure-mirrors/vars/Fedora.yaml b/roles/configure-mirrors/vars/Fedora.yaml index e4da29a79..a2b5d4c87 100644 --- a/roles/configure-mirrors/vars/Fedora.yaml +++ b/roles/configure-mirrors/vars/Fedora.yaml @@ -1 +1 @@ -package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" +package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" diff --git a/roles/configure-mirrors/vars/Suse.yaml b/roles/configure-mirrors/vars/Suse.yaml index 5947d7121..52c4800f5 100644 --- a/roles/configure-mirrors/vars/Suse.yaml +++ b/roles/configure-mirrors/vars/Suse.yaml @@ -1,7 +1,7 @@ -package_mirror: "http://{{ mirror_fqdn }}/opensuse" wheels_slug: "{%- if ansible_distribution == 'openSUSE Tumbleweed' -%} opensuse-tumbleweed-{{ ansible_architecture | lower }} {%- else -%} {{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }} {%- endif -%}" -wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}" +package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/opensuse" +wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}" diff --git a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml index 047179039..cd9b03768 100644 --- a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml +++ b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml @@ -1 +1 @@ -package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports" +package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports" diff --git a/roles/configure-mirrors/vars/Ubuntu.yaml b/roles/configure-mirrors/vars/Ubuntu.yaml index e4da29a79..a2b5d4c87 100644 --- a/roles/configure-mirrors/vars/Ubuntu.yaml +++ b/roles/configure-mirrors/vars/Ubuntu.yaml @@ -1 +1 @@ -package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" +package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}" diff --git a/test-playbooks/base-roles/configure-mirrors.yaml b/test-playbooks/base-roles/configure-mirrors.yaml index 1efedb8fe..114ad5a2d 100644 --- a/test-playbooks/base-roles/configure-mirrors.yaml +++ b/test-playbooks/base-roles/configure-mirrors.yaml @@ -1,4 +1,4 @@ -- name: Test the configure-mirrors role +- name: Test the configure-mirrors role with http hosts: all roles: - role: configure-mirrors @@ -9,7 +9,30 @@ set_fact: emacs_package: app-editors/emacs when: ansible_distribution == 'Gentoo' - - name: Install a package to sanity check the mirror configuration + - name: Install a package to sanity check the http mirror configuration + package: + name: "{{ emacs_package | default('emacs') }}" + state: "present" + become: yes + +- name: Test the configure-mirrors role with https + hosts: all + roles: + - role: configure-mirrors + mirror_fqdn: "{{ zuul_site_mirror_fqdn }}" + mirror_use_ssl: True + set_apt_mirrors_trusted: True + post_tasks: + - name: Set emacs package fact for gentoo + set_fact: + emacs_package: app-editors/emacs + when: ansible_distribution == 'Gentoo' + - name: Remove existing emacs package install + package: + name: "{{ emacs_package | default('emacs') }}" + state: "absent" + become: yes + - name: Install a package to sanity check the https mirror configuration package: name: "{{ emacs_package | default('emacs') }}" state: "present"