Added `download_validate_certs` option which allows to disables SSL validation for file downloads

inventory/sample/group_vars/all/all.yml

@@ -61,6 +61,11 @@ bin_dir: /usr/local/bin
 ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 #no_proxy: ""
 
+## Some problems may occur when downloading files over https proxy due to ansible bug
+## https://github.com/ansible/ansible/issues/32750. Set this variable to False to disable
+## SSL validation of get_url module. Note that kubespray will still be performing checksum validation.
+#download_validate_certs: False
+
 ## If you need exclude all cluster nodes from proxy and other resources, add other resources here.
 #additional_no_proxy: ""
 

roles/download/defaults/main.yml

@@ -23,6 +23,11 @@ download_localhost: False
 # Always pull images if set to True. Otherwise check by the repo's tag/digest.
 download_always_pull: False
 
+# Some problems may occur when downloading files over https proxy due to ansible bug
+# https://github.com/ansible/ansible/issues/32750. Set this variable to False to disable
+# SSL validation of get_url module. Note that kubespray will still be performing checksum validation.
+download_validate_certs: True
+
 # Use the first kube-master if download_localhost is not set
 download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube-master'][0]}}{% endif %}"
 

roles/download/tasks/download_file.yml

@@ -22,6 +22,7 @@
     sha256sum: "{{download.sha256 | default(omit)}}"
     owner: "{{ download.owner|default(omit) }}"
     mode: "{{ download.mode|default(omit) }}"
+    validate_certs: "{{ download_validate_certs }}"
   register: get_url_result
   until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
   retries: 4