From 79bf74e90f154ba71661d4d8dab3b9661ceb758b Mon Sep 17 00:00:00 2001
From: Erwan Miran <mirwan@users.noreply.github.com>
Date: Wed, 24 Oct 2018 07:22:09 +0200
Subject: [PATCH] Offline deployment: PyPi repo (#3542)

---
 docs/downloads.md                             |  1 +
 extra_playbooks/build-cephfs-provisioner.yml  |  1 +
 inventory/sample/group_vars/all/all.yml       |  4 ++++
 roles/bootstrap-os/tasks/bootstrap-coreos.yml |  1 +
 roles/kubespray-defaults/defaults/main.yaml   | 10 ++++++++++
 roles/vault/tasks/main.yml                    |  1 +
 roles/vault/tasks/shared/issue_cert.yml       |  1 +
 7 files changed, 19 insertions(+)

diff --git a/docs/downloads.md b/docs/downloads.md
index a7c445c51..dc6f5cf30 100644
--- a/docs/downloads.md
+++ b/docs/downloads.md
@@ -47,6 +47,7 @@ In case your servers don't have access to internet (for example when deploying o
 
 * At least `foo_image_repo` and `foo_download_url` as described before (i.e. in case of use of proxies to registries and binaries repositories, checksums and versions do not necessarily need to be changed).
   NB: Regarding `foo_image_repo`, when using insecure registries/proxies, you will certainly have to append them to the `docker_insecure_registries` variable in group_vars/all/docker.yml
+* `pyrepo_index` (and optionally `pyrepo_cert`)
 * Depending on the `container_manager`
   * When `container_manager=docker`, `docker_foo_repo_base_url`, `docker_foo_repo_gpgkey`, `dockerproject_bar_repo_base_url` and `dockerproject_bar_repo_gpgkey` (where `foo` is the distribution and `bar` is system package manager)
   * When `container_manager=crio`, `crio_rhel_repo_base_url` 
diff --git a/extra_playbooks/build-cephfs-provisioner.yml b/extra_playbooks/build-cephfs-provisioner.yml
index a669805c7..c064bda39 100644
--- a/extra_playbooks/build-cephfs-provisioner.yml
+++ b/extra_playbooks/build-cephfs-provisioner.yml
@@ -7,6 +7,7 @@
         name: "{{ item.name }}"
         version: "{{ item.version }}"
         state: "{{ item.state }}"
+        extra_args: "{{ pip_extra_args | default(omit) }}"
       with_items:
         - { state: "present", name: "docker", version: "3.4.1" }
         - { state: "present", name: "docker-compose", version: "1.21.2" }
diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index 042f1580a..dbe608faa 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -77,3 +77,7 @@ bin_dir: /usr/local/bin
 
 ## Set true to download and cache container
 #download_container: true
+
+## Set Pypi repo and cert accordingly
+#pyrepo_index: https://pypi.example.com/simple
+#pyrepo_cert: /etc/ssl/certs/ca-certificates.crt
diff --git a/roles/bootstrap-os/tasks/bootstrap-coreos.yml b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
index d4fad92b5..b5ad3426b 100644
--- a/roles/bootstrap-os/tasks/bootstrap-coreos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-coreos.yml
@@ -60,6 +60,7 @@
 - name: Install required python modules
   pip:
     name: "{{ item }}"
+    extra_args: "{{ pip_extra_args | default(omit) }}"
   with_items: "{{pip_python_coreos_modules}}"
   environment:
     PATH: "{{ ansible_env.PATH }}:{{ bin_dir }}"
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index de7915d8c..24c47d858 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -454,3 +454,13 @@ etcd_snapshot_count: "10000"
 
 certificates_key_size: 2048
 certificates_duration: 36500
+
+pip_extra_args: |-
+  {%- set pip_extra_args_list = [] -%}
+  {%- if pyrepo_index is defined -%}
+  {%- set DO = pip_extra_args_list.append('--index-url %s' | format(pyrepo_index)) -%}
+  {%- if pyrepo_cert is defined -%}
+  {%- set DO = pip_extra_args_list.append('--cert %s' | format(pyrepo_cert)) -%}
+  {%- endif -%}
+  {%- endif -%}
+  {{ pip_extra_args_list|join(' ') }}
diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml
index ae59132a3..cf6ad6282 100644
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@@ -14,6 +14,7 @@
   pip:
     name: "hvac"
     state: "present"
+    extra_args: "{{ pip_extra_args | default(omit) }}"
 
 ## Bootstrap
 - include_tasks: bootstrap/main.yml
diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml
index be49f375d..3b88c8751 100644
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -52,6 +52,7 @@
   pip:
     name: "hvac"
     state: "present"
+    extra_args: "{{ pip_extra_args | default(omit) }}"
 
 - name: gen_certs_vault | Pull vault CA
   get_url: