From 9471b8c42b9707d5de05556a91fa2b934eb1eb77 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 19 May 2020 14:57:14 -0700
Subject: [PATCH] Add option to prefer https/ssl in configure-mirrors

We should offer the option of https in addition to http in our
configure-mirrors role as users may want to consume mirrors using https.
This has become more viable in recent years with the releases of Debian
Buster and Ubuntu Bionic supporting it out of the box.

Change-Id: I747c1a379dfce9469e643d7fa199c8e8554f5289
---
 roles/configure-mirrors/README.rst            |  7 +++++
 roles/configure-mirrors/defaults/main.yaml    | 13 ++++++---
 roles/configure-mirrors/vars/CentOS.yaml      |  4 +--
 roles/configure-mirrors/vars/Debian.yaml      |  4 +--
 roles/configure-mirrors/vars/Fedora.yaml      |  2 +-
 roles/configure-mirrors/vars/Suse.yaml        |  4 +--
 .../vars/Ubuntu.aarch64.yaml                  |  2 +-
 roles/configure-mirrors/vars/Ubuntu.yaml      |  2 +-
 .../base-roles/configure-mirrors.yaml         | 27 +++++++++++++++++--
 9 files changed, 51 insertions(+), 14 deletions(-)

diff --git a/roles/configure-mirrors/README.rst b/roles/configure-mirrors/README.rst
index d7d6570d0..8152ce499 100644
--- a/roles/configure-mirrors/README.rst
+++ b/roles/configure-mirrors/README.rst
@@ -7,6 +7,13 @@ An ansible role to configure services to use mirrors.
 
    The base host for mirror servers.
 
+.. zuul:rolevar:: mirror_use_ssl
+   :default: False
+
+   Use ssl to communicate to mirror endpoints. Note if the platform
+   cannot use ssl (for example Ubuntu Xenial apt needs additional packages)
+   this will still use http instead of https when set for that platform.
+
 .. zuul:rolevar:: pypi_fqdn
    :default: {{ mirror_fqdn }}
 
diff --git a/roles/configure-mirrors/defaults/main.yaml b/roles/configure-mirrors/defaults/main.yaml
index 4a07e2c90..7cd665bb7 100644
--- a/roles/configure-mirrors/defaults/main.yaml
+++ b/roles/configure-mirrors/defaults/main.yaml
@@ -1,5 +1,12 @@
+set_apt_mirrors_trusted: False
 mirror_fqdn: "{{ zuul_site_mirror_fqdn|default(omit) }}"
 pypi_fqdn: "{{ mirror_fqdn }}"
-pypi_mirror: "http://{{ pypi_fqdn }}/pypi/simple"
-set_apt_mirrors_trusted: False
-wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
+mirror_use_ssl: False
+http_or_https: >-
+  {%- if mirror_use_ssl and ansible_distribution_release not in ['xenial', 'stretch'] -%}
+  https
+  {%- else -%}
+  http
+  {%- endif -%}
+pypi_mirror: "{{ http_or_https }}://{{ pypi_fqdn }}/pypi/simple"
+wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
diff --git a/roles/configure-mirrors/vars/CentOS.yaml b/roles/configure-mirrors/vars/CentOS.yaml
index 79ea83ed0..7821347ea 100644
--- a/roles/configure-mirrors/vars/CentOS.yaml
+++ b/roles/configure-mirrors/vars/CentOS.yaml
@@ -1,2 +1,2 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
-epel_mirror: "http://{{ mirror_fqdn }}/epel"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+epel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/epel"
diff --git a/roles/configure-mirrors/vars/Debian.yaml b/roles/configure-mirrors/vars/Debian.yaml
index 37406c126..8b24e3331 100644
--- a/roles/configure-mirrors/vars/Debian.yaml
+++ b/roles/configure-mirrors/vars/Debian.yaml
@@ -1,2 +1,2 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
-security_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+security_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security"
diff --git a/roles/configure-mirrors/vars/Fedora.yaml b/roles/configure-mirrors/vars/Fedora.yaml
index e4da29a79..a2b5d4c87 100644
--- a/roles/configure-mirrors/vars/Fedora.yaml
+++ b/roles/configure-mirrors/vars/Fedora.yaml
@@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
diff --git a/roles/configure-mirrors/vars/Suse.yaml b/roles/configure-mirrors/vars/Suse.yaml
index 5947d7121..52c4800f5 100644
--- a/roles/configure-mirrors/vars/Suse.yaml
+++ b/roles/configure-mirrors/vars/Suse.yaml
@@ -1,7 +1,7 @@
-package_mirror: "http://{{ mirror_fqdn }}/opensuse"
 wheels_slug: "{%- if ansible_distribution == 'openSUSE Tumbleweed' -%}
                  opensuse-tumbleweed-{{ ansible_architecture | lower }}
               {%- else -%}
                  {{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}
               {%- endif -%}"
-wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/opensuse"
+wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}"
diff --git a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
index 047179039..cd9b03768 100644
--- a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
+++ b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
@@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports"
diff --git a/roles/configure-mirrors/vars/Ubuntu.yaml b/roles/configure-mirrors/vars/Ubuntu.yaml
index e4da29a79..a2b5d4c87 100644
--- a/roles/configure-mirrors/vars/Ubuntu.yaml
+++ b/roles/configure-mirrors/vars/Ubuntu.yaml
@@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
diff --git a/test-playbooks/base-roles/configure-mirrors.yaml b/test-playbooks/base-roles/configure-mirrors.yaml
index 1efedb8fe..114ad5a2d 100644
--- a/test-playbooks/base-roles/configure-mirrors.yaml
+++ b/test-playbooks/base-roles/configure-mirrors.yaml
@@ -1,4 +1,4 @@
-- name: Test the configure-mirrors role
+- name: Test the configure-mirrors role with http
   hosts: all
   roles:
     - role: configure-mirrors
@@ -9,7 +9,30 @@
       set_fact:
         emacs_package: app-editors/emacs
       when: ansible_distribution == 'Gentoo'
-    - name: Install a package to sanity check the mirror configuration
+    - name: Install a package to sanity check the http mirror configuration
+      package:
+        name: "{{ emacs_package | default('emacs') }}"
+        state: "present"
+      become: yes
+
+- name: Test the configure-mirrors role with https
+  hosts: all
+  roles:
+    - role: configure-mirrors
+      mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      mirror_use_ssl: True
+      set_apt_mirrors_trusted: True
+  post_tasks:
+    - name: Set emacs package fact for gentoo
+      set_fact:
+        emacs_package: app-editors/emacs
+      when: ansible_distribution == 'Gentoo'
+    - name: Remove existing emacs package install
+      package:
+        name: "{{ emacs_package | default('emacs') }}"
+        state: "absent"
+      become: yes
+    - name: Install a package to sanity check the https mirror configuration
       package:
         name: "{{ emacs_package | default('emacs') }}"
         state: "present"