diff --git a/docs/downloads.md b/docs/downloads.md
index a7c445c51d1e2f7225cdba159153b8bf5f81da29..dc6f5cf3062b1162c5e84cac221714718ff3f0c9 100644
--- a/docs/downloads.md
+++ b/docs/downloads.md
@@ -47,6 +47,7 @@ In case your servers don't have access to internet (for example when deploying o
 
 * At least `foo_image_repo` and `foo_download_url` as described before (i.e. in case of use of proxies to registries and binaries repositories, checksums and versions do not necessarily need to be changed).
   NB: Regarding `foo_image_repo`, when using insecure registries/proxies, you will certainly have to append them to the `docker_insecure_registries` variable in group_vars/all/docker.yml
+* `pyrepo_index` (and optionally `pyrepo_cert`)
 * Depending on the `container_manager`
   * When `container_manager=docker`, `docker_foo_repo_base_url`, `docker_foo_repo_gpgkey`, `dockerproject_bar_repo_base_url` and `dockerproject_bar_repo_gpgkey` (where `foo` is the distribution and `bar` is system package manager)
   * When `container_manager=crio`, `crio_rhel_repo_base_url` 
diff --git a/extra_playbooks/build-cephfs-provisioner.yml b/extra_playbooks/build-cephfs-provisioner.yml
index a669805c7fd66c02814ee4d2313c96b56985a256..c064bda3950400734b363b197691812af53bfb5c 100644
--- a/extra_playbooks/build-cephfs-provisioner.yml
+++ b/extra_playbooks/build-cephfs-provisioner.yml
@@ -7,6 +7,7 @@
         name: "{{ item.name }}"
         version: "{{ item.version }}"
         state: "{{ item.state }}"
+        extra_args: "{{ pip_extra_args | default(omit) }}"
       with_items:
         - { state: "present", name: "docker", version: "3.4.1" }
         - { state: "present", name: "docker-compose", version: "1.21.2" }
diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index 042f1580a8333cd64f84e6eedc9d6f42cb39f9e0..dbe608faae820d909d0ac2d6f92f66a43001d291 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -77,3 +77,7 @@ bin_dir: /usr/local/bin
 
 ## Set true to download and cache container
 #download_container: true
+
+## Set Pypi repo and cert accordingly
+#pyrepo_index: https://pypi.example.com/simple
+#pyrepo_cert: /etc/ssl/certs/ca-certificates.crt
diff --git a/roles/bootstrap-os/tasks/bootstrap-coreos.yml b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
index d4fad92b50c712c4f96d27c542a899d78f1bdfe0..b5ad3426bcfffd80680052a09a0536e942a02498 100644
--- a/roles/bootstrap-os/tasks/bootstrap-coreos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
@@ -60,6 +60,7 @@
 - name: Install required python modules
   pip:
     name: "{{ item }}"
+    extra_args: "{{ pip_extra_args | default(omit) }}"
   with_items: "{{pip_python_coreos_modules}}"
   environment:
     PATH: "{{ ansible_env.PATH }}:{{ bin_dir }}"
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index de7915d8cb8a5f69660670b2cd95b5839134348f..24c47d8580a913c0aee643b08553c04fb5fcab22 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -454,3 +454,13 @@ etcd_snapshot_count: "10000"
 
 certificates_key_size: 2048
 certificates_duration: 36500
+
+pip_extra_args: |-
+  {%- set pip_extra_args_list = [] -%}
+  {%- if pyrepo_index is defined -%}
+  {%- set DO = pip_extra_args_list.append('--index-url %s' | format(pyrepo_index)) -%}
+  {%- if pyrepo_cert is defined -%}
+  {%- set DO = pip_extra_args_list.append('--cert %s' | format(pyrepo_cert)) -%}
+  {%- endif -%}
+  {%- endif -%}
+  {{ pip_extra_args_list|join(' ') }}
diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml
index ae59132a37e4eca355cc760ecd6a2cd0418be653..cf6ad6282c6e81d96ffb9e723f8f55be2292581a 100644
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -14,6 +14,7 @@
   pip:
     name: "hvac"
     state: "present"
+    extra_args: "{{ pip_extra_args | default(omit) }}"
 
 ## Bootstrap
 - include_tasks: bootstrap/main.yml
diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml
index be49f375d6490ccb1b37e966ce0e2788df34c56b..3b88c87515c80b9de904d8fff876ad1f4d3c0ea8 100644
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -52,6 +52,7 @@
   pip:
     name: "hvac"
     state: "present"
+    extra_args: "{{ pip_extra_args | default(omit) }}"
 
 - name: gen_certs_vault | Pull vault CA
   get_url: