feat: add option to use custome CA for https_proxy (#10215)

docs/proxy.md

@@ -7,6 +7,12 @@ If you set http and https proxy, all nodes and loadbalancer will be excluded fro
  `http_proxy:"http://example.proxy.tld:port"`
  `https_proxy:"http://example.proxy.tld:port"`
 
+## Set custom CA
+
+CA must be already on each target nodes
+
+  `https_proxy_cert_file: /path/to/host/custom/ca.crt`
+
 ## Set default no_proxy (this will override default no_proxy generation)
 
 `no_proxy: "node1,node1_ip,node2,node2_ip...additional_host"`

inventory/sample/group_vars/all/all.yml

@@ -52,9 +52,10 @@ loadbalancer_apiserver_healthcheck_port: 8081
 ## When openstack or vsphere are used make sure to source in the required fields
 # external_cloud_provider:
 
-## Set these proxy values in order to update package manager and docker daemon to use proxies
+## Set these proxy values in order to update package manager and docker daemon to use proxies and custom CA for https_proxy if needed
 # http_proxy: ""
 # https_proxy: ""
+# https_proxy_cert_file: ""
 
 ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 # no_proxy: ""

roles/kubespray-defaults/defaults/main.yaml

@@ -652,7 +652,7 @@ host_os: >-
 # Setting it to 0 allows unlimited requests per second.
 kubelet_event_record_qps: 5
 
-proxy_env:
+proxy_env_defaults:
   http_proxy: "{{ http_proxy | default ('') }}"
   HTTP_PROXY: "{{ http_proxy | default ('') }}"
   https_proxy: "{{ https_proxy | default ('') }}"
@@ -660,6 +660,10 @@ proxy_env:
   no_proxy: "{{ no_proxy | default ('') }}"
   NO_PROXY: "{{ no_proxy | default ('') }}"
 
+# If we use SSL_CERT_FILE: {{ omit }} it cause in value __omit_place_holder__ and break environments
+# Combine dict is avoiding the problem with omit placeholder. Maybe it can be better solution?
+proxy_env: "{{ proxy_env_defaults | combine({ 'SSL_CERT_FILE': https_proxy_cert_file }) if https_proxy_cert_file is defined else proxy_env_defaults }}"
+
 proxy_disable_env:
   ALL_PROXY: ''
   FTP_PROXY: ''