From 8f85ea89fac4e1ebfab97a6a8118af56d4397233 Mon Sep 17 00:00:00 2001
From: Anatoly Rugalev <anatoly.rugalev@gmail.com>
Date: Fri, 21 Sep 2018 11:51:17 +0200
Subject: [PATCH] Added `download_validate_certs` option which allows to
 disables SSL validation for file downloads

---
 inventory/sample/group_vars/all/all.yml | 5 +++++
 roles/download/defaults/main.yml        | 5 +++++
 roles/download/tasks/download_file.yml  | 1 +
 3 files changed, 11 insertions(+)

diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index 074321902..68e670ba9 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -61,6 +61,11 @@ bin_dir: /usr/local/bin
 ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 #no_proxy: ""
 
+## Some problems may occur when downloading files over https proxy due to ansible bug
+## https://github.com/ansible/ansible/issues/32750. Set this variable to False to disable
+## SSL validation of get_url module. Note that kubespray will still be performing checksum validation.
+#download_validate_certs: False
+
 ## If you need exclude all cluster nodes from proxy and other resources, add other resources here.
 #additional_no_proxy: ""
 
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 969f66b3c..8cd4da3d0 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -23,6 +23,11 @@ download_localhost: False
 # Always pull images if set to True. Otherwise check by the repo's tag/digest.
 download_always_pull: False
 
+# Some problems may occur when downloading files over https proxy due to ansible bug
+# https://github.com/ansible/ansible/issues/32750. Set this variable to False to disable
+# SSL validation of get_url module. Note that kubespray will still be performing checksum validation.
+download_validate_certs: True
+
 # Use the first kube-master if download_localhost is not set
 download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
 
diff --git a/roles/download/tasks/download_file.yml b/roles/download/tasks/download_file.yml
index 832fec41e..2d0106fe6 100644
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@@ -22,6 +22,7 @@
     sha256sum: "{{download.sha256 | default(omit)}}"
     owner: "{{ download.owner|default(omit) }}"
     mode: "{{ download.mode|default(omit) }}"
+    validate_certs: "{{ download_validate_certs }}"
   register: get_url_result
   until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
   retries: 4
-- 
GitLab