Change external resources to https where possible

This change updates all of the external URLs to use HTTPS where
possible. the change will create a more secure deployment by default.

Change-Id: I4d53c021904208bffb0d597c7ae53bbd00f40209
Closes-Bug: 1411331

playbooks/inventory/group_vars/all.yml

@@ -18,13 +18,6 @@ debug: False
 verbose: True
 
 
-## Repo server
-repo_service_user_name: nginx
-repo_service_home_folder: /var/www
-repo_server_port: 8181
-repo_pip_default_index: "http://{{ openstack_upstream_domain }}/pools"
-
-
 ## Rsyslog server
 rsyslog_server_spool_directory: /var/spool/rsyslog
 rsyslog_server_storage_directory: /var/log/log-storage
@@ -34,20 +27,28 @@ rsyslog_server_storage_directory: /var/log/log-storage
 openstack_release: master
 # URL for the frozen internal openstack repo.
 openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
+openstack_upstream_proto: "https"
 openstack_upstream_domain: "rpc-repo.rackspace.com"
-openstack_upstream_url: "http://{{ openstack_upstream_domain }}"
+openstack_upstream_url: "{{ openstack_upstream_proto }}://{{ openstack_upstream_domain }}"
 # Global minimum kernel requirement
 openstack_host_required_kernel: 3.13.0-34-generic
 
 
+## Repo server
+repo_service_user_name: nginx
+repo_service_home_folder: /var/www
+repo_server_port: 8181
+repo_pip_default_index: "{{ openstack_upstream_url }}/pools"
+
+
 ## LXC options
 lxc_container_caches:
   - url: "{{ openstack_upstream_url }}/container_images/rpc-trusty-container.tgz"
     name: "trusty.tgz"
 
 # In container APT repository settings
-lxc_container_template_main_apt_repo: "http://mirror.rackspace.com/ubuntu"
+lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu"
-lxc_container_template_security_apt_repo: "http://mirror.rackspace.com/ubuntu"
+lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu"
 
 
 ## RabbitMQ

playbooks/roles/galera_client/defaults/main.yml

@@ -25,7 +25,7 @@ galera_client_gpg_keys:
     hash_id: '0xcbcb082a1bb943db'
 
 # Repositories
-galera_client_apt_repo_url: "http://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
+galera_client_apt_repo_url: "https://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
 galera_client_apt_repo:
   repo: "deb {{ galera_client_apt_repo_url }} {{ ansible_distribution_release }} main"
   state: "present"

playbooks/roles/galera_server/defaults/main.yml

@@ -52,7 +52,7 @@ galera_gpg_keys:
     hash_id: '0xcbcb082a1bb943db'
 
 # Repositories
-galera_apt_repo_url: "http://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
+galera_apt_repo_url: "https://mirror.rackspace.com/mariadb/repo/5.5/ubuntu"
 galera_apt_repo:
   repo: "deb {{ galera_apt_repo_url }} {{ ansible_distribution_release }} main"
   state: "present"

playbooks/roles/lxc_container_create/defaults/main.yml

@@ -36,8 +36,8 @@ lxc_container_template_options: >
   --user {{ lxc_container_user_name }}
   --password {{ lxc_container_user_password }}
 
-lxc_container_template_main_apt_repo: "http://archive.ubuntu.com/ubuntu"
+lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu"
-lxc_container_template_security_apt_repo: "http://security.ubuntu.com/ubuntu"
+lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu"
 
 lxc_container_default_interfaces: |
   # The loopback network interface

playbooks/roles/lxc_hosts/defaults/main.yml

@@ -40,8 +40,8 @@ lxc_kernel_options:
   - { key: 'fs.inotify.max_user_instances', value: 1024 }
   - { key: 'vm.swappiness', value: 10 }
 
-lxc_container_template_main_apt_repo: "http://archive.ubuntu.com/ubuntu"
+lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu"
-lxc_container_template_security_apt_repo: "http://security.ubuntu.com/ubuntu"
+lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu"
 
 
 # Required apt packages.

playbooks/roles/rabbitmq_server/defaults/main.yml

@@ -18,7 +18,7 @@ is_metal: true
 
 rabbitmq_primary_cluster_node: "{{ groups['rabbitmq_all'][0] }}"
 
-rabbitmq_package_url: http://www.rabbitmq.com/releases/rabbitmq-server/v3.5.1/rabbitmq-server_3.5.1-1_all.deb
+rabbitmq_package_url: https://www.rabbitmq.com/releases/rabbitmq-server/v3.5.1/rabbitmq-server_3.5.1-1_all.deb
 rabbitmq_package_sha256: "e514012a210b4ed5b77d726329ce027c50e8629c396bcde451ac16aaff07d047"
 rabbitmq_package_path: "/opt/rabbitmq-server.deb"
 

playbooks/roles/repo_server/files/openstack-wheel-builder.py

@@ -345,7 +345,7 @@ def main():
                 '--pip-extra-link-dirs',
                 _abs_path(user_vars['link_pool']),
                 '--pip-index',
-                'http://rpc-repo.rackspace.com/pools',
+                'https://rpc-repo.rackspace.com/pools',
                 '--pip-extra-index',
                 'https://pypi.python.org/simple',
                 '--pip-bulk-operation',

scripts/bootstrap-aio.sh

@@ -42,8 +42,8 @@ export TEMPEST_FATAL_DEPRECATIONS=${TEMPEST_FATAL_DEPRECATIONS:-"no"}
 
 # Ubuntu repos
 UBUNTU_RELEASE=$(lsb_release -sc)
-UBUNTU_REPO=${UBUNTU_REPO:-"http://mirror.rackspace.com/ubuntu"}
+UBUNTU_REPO=${UBUNTU_REPO:-"https://mirror.rackspace.com/ubuntu"}
-UBUNTU_SEC_REPO=${UBUNTU_SEC_REPO:-"http://mirror.rackspace.com/ubuntu"}
+UBUNTU_SEC_REPO=${UBUNTU_SEC_REPO:-"https://mirror.rackspace.com/ubuntu"}
 
 
 ## Library Check -------------------------------------------------------------
@@ -91,6 +91,9 @@ if [ ! "$(grep -e '^nameserver 8.8.8.8' -e '^nameserver 8.8.4.4' /etc/resolv.con
   echo -e '\n# Adding google name servers\nnameserver 8.8.8.8\nnameserver 8.8.4.4' | tee -a /etc/resolv.conf
 fi
 
+# Ensure that the https apt transport is available before doing anything else
+apt-get update && apt-get install -y apt-transport-https
+
 # Set the host repositories to only use the same ones, always, for the sake of consistency.
 cat > /etc/apt/sources.list <<EOF
 # Normal repositories
@@ -115,19 +118,19 @@ apt-get update
 apt-get purge -y libmysqlclient18 mysql-common
 
 # Install required packages
-apt-get install -y python-dev \
+apt-get install -y bridge-utils \
-                   python2.7 \
                    build-essential \
                    curl \
                    git-core \
                    ipython \
+                   linux-image-extra-$(uname -r) \
+                   lvm2 \
+                   python2.7 \
+                   python-dev \
                    tmux \
                    vim \
                    vlan \
-                   bridge-utils \
+                   xfsprogs
-                   lvm2 \
-                   xfsprogs \
-                   linux-image-extra-$(uname -r)
 
 # Flush all the iptables rules set by openstack-infra
 if [ "${FLUSH_IPTABLES}" == "yes" ]; then

scripts/osad-aio-heat-template.yml

@@ -34,7 +34,7 @@ parameters:
     description: The aio script installation URL
   frozen_repo_url:
     type: string
-    default: http://rpc-repo.rackspace.com
+    default: https://rpc-repo.rackspace.com
     description: URL to the frozen
   repo_url:
     type: string