Only setup *_PROXY env variables where needed (#7095)

no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see #7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>

roles/bootstrap-os/tasks/bootstrap-centos.yml

@@ -24,6 +24,7 @@
     - use_oracle_public_repo|default(true)
     - '"Oracle" in os_release.stdout'
     - (ansible_distribution_version | float) < 7.6
+  environment: "{{ proxy_env }}"
 
 - name: Enable Oracle Linux repo
   ini_file:

roles/bootstrap-os/tasks/bootstrap-coreos.yml

@@ -4,7 +4,6 @@
 - name: Check if bootstrap is needed
   raw: stat /opt/bin/.bootstrapped
   register: need_bootstrap
-  environment: {}
   failed_when: false
   changed_when: false
   tags:
@@ -19,9 +18,7 @@
 - name: Run bootstrap.sh
   script: bootstrap.sh
   become: true
-  environment:
-    http_proxy: "{{ http_proxy | default('') }}"
-    https_proxy: "{{ https_proxy | default('') }}"
+  environment: "{{ proxy_env }}"
   when:
     - need_bootstrap.rc != 0
 

roles/bootstrap-os/tasks/bootstrap-debian.yml

@@ -8,7 +8,6 @@
   changed_when: false
   # This command should always run, even in check mode
   check_mode: false
-  environment: {}
   tags:
     - facts
 
@@ -19,12 +18,10 @@
   changed_when: false
   # This command should always run, even in check mode
   check_mode: false
-  environment: {}
 
 - name: Add http_proxy to /etc/apt/apt.conf if http_proxy is defined
   raw: echo 'Acquire::http::proxy "{{ http_proxy }}";' >> /etc/apt/apt.conf
   become: true
-  environment: {}
   when:
     - http_proxy is defined
     - need_http_proxy.rc != 0
@@ -37,12 +34,10 @@
   changed_when: false
   # This command should always run, even in check mode
   check_mode: false
-  environment: {}
 
 - name: Add https_proxy to /etc/apt/apt.conf if https_proxy is defined
   raw: echo 'Acquire::https::proxy "{{ https_proxy }}";' >> /etc/apt/apt.conf
   become: true
-  environment: {}
   when:
     - https_proxy is defined
     - need_https_proxy.rc != 0
@@ -55,14 +50,12 @@
   changed_when: false
   # This command should always run, even in check mode
   check_mode: false
-  environment: {}
   when:
     - '"bionic" in os_release.stdout'
 
 - name: Change Network Name Resolution configuration
   raw: sed -i 's/^DNSSEC=yes/DNSSEC=allow-downgrade/g' /etc/systemd/resolved.conf
   become: true
-  environment: {}
   when:
     - '"bionic" in os_release.stdout'
     - need_dnssec_allow_downgrade.rc
@@ -70,7 +63,6 @@
 - name: Restart systemd-resolved service
   raw: systemctl restart systemd-resolved
   become: true
-  environment: {}
   when:
     - '"bionic" in os_release.stdout'
     - need_dnssec_allow_downgrade.rc
@@ -80,7 +72,6 @@
     apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y python3-minimal
   become: true
-  environment: {}
   when:
     - need_bootstrap.rc != 0
 

roles/bootstrap-os/tasks/bootstrap-fedora.yml

@@ -6,7 +6,6 @@
   register: need_bootstrap
   failed_when: false
   changed_when: false
-  environment: {}
   tags:
     - facts
 
@@ -24,7 +23,6 @@
 - name: Install python3 on fedora
   raw: "dnf install --assumeyes --quiet python3"
   become: true
-  environment: {}
   when:
     - need_bootstrap.rc != 0
 

roles/bootstrap-os/tasks/bootstrap-flatcar.yml

@@ -4,7 +4,6 @@
 - name: Check if bootstrap is needed
   raw: stat /opt/bin/.bootstrapped
   register: need_bootstrap
-  environment: {}
   failed_when: false
   changed_when: false
   tags:
@@ -19,9 +18,7 @@
 - name: Run bootstrap.sh
   script: bootstrap.sh
   become: true
-  environment:
-    http_proxy: "{{ http_proxy | default('') }}"
-    https_proxy: "{{ https_proxy | default('') }}"
+  environment: "{{ proxy_env }}"
   when:
     - need_bootstrap.rc != 0
 

roles/bootstrap-os/tasks/main.yml

@@ -5,7 +5,6 @@
   changed_when: false
   # This command should always run, even in check mode
   check_mode: false
-  environment: {}
 
 - include_tasks: bootstrap-centos.yml
   when: '"CentOS" in os_release.stdout or "Oracle" in os_release.stdout'

roles/container-engine/containerd/tasks/containerd_repo.yml

@@ -10,6 +10,7 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ containerd_repo_key_info.repo_keys }}"
+  environment: "{{ proxy_env }}"
   when:
     - ansible_os_family in ['Ubuntu', 'Debian']
 

roles/container-engine/crun/tasks/main.yml

@@ -11,9 +11,11 @@
     path: "{{ crun_bin_dir }}/crun"
   register: crun_stat
 
+# TODO: use download_file.yml
 - name: Download binary
   get_url:
     url: "{{ crun_release_url }}"
     dest: "{{ crun_bin_dir }}/crun"
     mode: '0755'
   when: not crun_stat.stat.exists
+  environment: "{{ proxy_env }}"

roles/container-engine/docker/tasks/main.yml

@@ -74,6 +74,7 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
+  environment: "{{ proxy_env }}"
   when: not (ansible_os_family in ["Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_ostree)
 
 - name: ensure docker-ce repository is enabled
@@ -95,6 +96,7 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ dockerproject_repo_key_info.repo_keys }}"
+  environment: "{{ proxy_env }}"
   when:
     - not (ansible_os_family in ["Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_ostree)
     - use_docker_engine is defined and use_docker_engine

roles/download/tasks/download_file.yml

@@ -66,6 +66,7 @@
     until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
     retries: 4
     delay: "{{ retry_stagger | default(5) }}"
+    environment: "{{ proxy_env }}"
 
   - name: download_file | Copy file back to ansible host file cache
     synchronize:

roles/kubespray-defaults/tasks/main.yaml

@@ -5,6 +5,19 @@
   tags:
     - always
 
+- name: "Set up proxy environment"
+  set_fact:
+    proxy_env:
+      http_proxy: "{{ http_proxy | default ('') }}"
+      HTTP_PROXY: "{{ http_proxy | default ('') }}"
+      https_proxy: "{{ https_proxy | default ('') }}"
+      HTTPS_PROXY: "{{ https_proxy | default ('') }}"
+      no_proxy: "{{ no_proxy | default ('') }}"
+      NO_PROXY: "{{ no_proxy | default ('') }}"
+  no_log: true
+  tags:
+    - always
+
 # do not run gather facts when bootstrap-os in roles
 - name: set fallback_ips
   import_tasks: fallback_ips.yml