kubernetes-sigs/kubespray

Cilium installation fails in offline mode

Open

#12,558 opened on Sep 17, 2025

View on GitHub
 (6 comments) (0 reactions) (0 assignees)HTML (10,380 stars) (4,419 forks)batch import
RHEL 9help wantedkind/bugtriage/accepted

Description

What happened?

The cilium installation via kubespray, when offline mode is selected, fails as it tries to download the helm chart from internet.

What did you expect to happen?

The cilium installation should not pull the chart from internet in offline mode. The expected behaviour is: download the chart in the download files step use the chart from the local http repository to install cilium

How can we reproduce it (as minimally and precisely as possible)?

Deploy a kubernetes cluster in offline mode using cilium.

OS

RHEL 9

Version of Ansible

ansible [core 2.16.14] config file = /kubeprov/ansible.cfg configured module search path = ['/kubeprov/library'] ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.10.12 (main, Feb 4 2025, 14:57:36) [GCC 11.4.0] (/usr/bin/python3) jinja version = 3.1.6 libyaml = True

Version of Python

python version = 3.10.12

Version of Kubespray (commit)

2.28.0

Network plugin used

cilium

Full inventory with variables

"hostvars[inventory_hostname]": {
    "allow_unsupported_distribution_setup": false,
    "ansible_check_mode": false,
    "ansible_config_file": "/etc/ansible/ansible.cfg",
    "ansible_diff_mode": false,
    "ansible_facts": {},
    "ansible_forks": 5,
    "ansible_inventory_sources": [
        "/etc/kubespray/inventory/cluster1"
    ],
    "ansible_playbook_python": "/usr/bin/python3",
    "ansible_verbosity": 0,
    "ansible_version": {
        "full": "2.14.17",
        "major": 2,
        "minor": 14,
        "revision": 17,
        "string": "2.14.17"
    },
    "bin_dir": "/usr/bin",
    "calico_crds_download_url": "{{ files_repo }}/{{ calico_version }}.tar.gz",
    "calicoctl_alternate_download_url": "{{ files_repo }}/calicoctl-linux-{{ image_arch }}",
    "calicoctl_download_url": "{{ files_repo }}/calicoctl-linux-{{ image_arch }}",
    "cert_manager_ca_cert_path": "",
    "cert_manager_ca_key_path": "",
    "cilium_helm_chart": "{{ files_repo }}/cilium-{{ cilium_version }}.tgz",
    "ciliumcli_download_url": "{{ files_repo }}/cilium-linux-{{ image_arch }}.tar.gz",
    "cluster_external_name": "cluster1.external",
    "cni_download_url": "{{ files_repo }}/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz",
    "containerd_download_url": "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz",
    "containerd_registries_mirrors": [
        {
            "mirrors": [
                {
                    "capabilities": [
                        "pull",
                        "resolve"
                    ],
                    "host": "http://10.40.0.57:5000",
                    "skip_verify": false
                }
            ],
            "prefix": "10.40.0.57:5000"
        }
    ],
    "cri_dockerd_download_url": "{{ files_repo }}/cri-dockerd-{{ cri_dockerd_version }}.{{ image_arch }}.tgz",
    "crictl_download_url": "{{ files_repo }}/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz",
    "crio_download_url": "{{ files_repo }}/cri-o.{{ image_arch }}.v{{ crio_version }}.tar.gz",
    "crun_download_url": "{{ files_repo }}/crun-{{ crun_version }}-linux-{{ image_arch }}",
    "docker_image_repo": "10.40.0.57:5000",
    "docker_io_login": "nimbix",
    "docker_io_name": "registry-1.docker.io",
    "docker_io_password": "nimbix245!",
    "etcd_data_dir": "/var/lib/etcd",
    "etcd_deployment_type": "kubeadm",
    "etcd_download_url": "{{ files_repo }}/etcd-v{{ etcd_version }}-linux-amd64.tar.gz",
    "files_repo": "http://10.40.0.57/kubespray/repository",
    "flannel_cni_download_url": "{{ files_repo }}/flannel-{{ image_arch }}",
    "gcr_image_repo": "10.40.0.57:5000",
    "github_image_repo": "10.40.0.57:5000",
    "group_names": [
        "ungrouped"
    ],
    "groups": {
        "all": [
            "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc"
        ],
        "ungrouped": [
            "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc"
        ]
    },
    "gvisor_containerd_shim_runsc_download_url": "{{ files_repo }}/{{ ansible_architecture }}/containerd-shim-runsc-v1",
    "gvisor_runsc_download_url": "{{ files_repo }}/{{ ansible_architecture }}/runsc",
    "helm_download_url": "{{ files_repo }}/helm-v{{ helm_version }}-linux-{{ image_arch }}.tar.gz",
    "http_proxy": "",
    "https_proxy": "",
    "ingress_custom_nginx_class": "nginx",
    "ingress_custom_nginx_enabled": true,
    "ingress_custom_nginx_namespace": "kube-system",
    "ingress_nginx_url": "{{ files_repo }}/ingress-nginx-{{ ingress_nginx_version }}.tgz",
    "inventory_dir": "/etc/kubespray/inventory/cluster1/credentials",
    "inventory_file": "/etc/kubespray/inventory/cluster1/credentials/kubeadm_certificate_key.creds",
    "inventory_hostname": "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc",
    "inventory_hostname_short": "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc",
    "kata_containers_download_url": "{{ files_repo }}/kata-static-{{ kata_containers_version }}-{{ ansible_architecture }}.tar.xz",
    "kube_image_repo": "10.40.0.57:5000",
    "kube_webhook_token_auth": false,
    "kube_webhook_token_auth_url_skip_tls_verify": false,
    "kubeadm_download_url": "http://10.40.0.57/kubespray/repository/kubeadm",
    "kubectl_download_url": "http://10.40.0.57/kubespray/repository/kubectl",
    "kubelet_download_url": "http://10.40.0.57/kubespray/repository/kubelet",
    "loadbalancer_apiserver_healthcheck_port": 8081,
    "loadbalancer_apiserver_port": 6443,
    "loadbalancer_apiserver_type": "haproxy",
    "nerdctl_download_url": "{{ files_repo }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz",
    "nfs_provisioner_accessmodes": "ReadWriteOnce",
    "nfs_provisioner_enabled": true,
    "nfs_provisioner_namespace": "kube-system",
    "nfs_provisioner_path": "/srv/nfs",
    "nfs_provisioner_server": "10.40.0.1",
    "nfs_provisioner_url": "{{ files_repo }}/nfs-subdir-external-provisioner-{{ nfs_provisioner_version }}.tgz",
    "no_proxy_exclude_workers": false,
    "ntp_enabled": false,
    "ntp_manage_config": false,
    "ntp_servers": [
        "0.pool.ntp.org iburst",
        "1.pool.ntp.org iburst",
        "2.pool.ntp.org iburst",
        "3.pool.ntp.org iburst"
    ],
    "omit": "__omit_place_holder__2d1b4caf966c5e6a35aceb938c02ada64ed4bcc3",
    "playbook_dir": "/etc/kubespray",
    "quay_image_repo": "10.40.0.57:5000",
    "registry_host": "10.40.0.57:5000",
    "rhel_enable_repos": false,
    "runc_download_url": "{{ files_repo }}/runc.{{ image_arch }}",
    "skip_http_proxy_on_os_packages": true,
    "skopeo_download_url": "{{ files_repo }}/skopeo-linux-{{ image_arch }}",
    "unsafe_show_logs": false
}

}

Command used to invoke ansible

ansible-playbook cluster.yml -i inventory/cluster1

Output of ansible run

21:51:32 TASK [network_plugin/cilium : Cilium | Install] ********************************

21:51:32 fatal: [bach1]: FAILED! => changed=true

21:51:32 cmd:

21:51:32 - /usr/bin/cilium

21:51:32 - install

21:51:32 - --version

21:51:32 - 1.17.3

21:51:32 - -f

21:51:32 - /etc/kubernetes/cilium-values.yaml

21:51:32 - --set

21:51:32 - image.useDigest=false

21:51:32 - --set

21:51:32 - operator.image.useDigest=false

21:51:32 - --set

21:51:32 - envoy.enabled=false

21:51:32 - --set

21:51:32 - l7Proxy=false

21:51:32 delta: '0:00:00.037439'

21:51:32 end: '2025-09-15 21:51:31.631222'

21:51:32 msg: non-zero return code

21:51:32 rc: 1

21:51:32 start: '2025-09-15 21:51:31.593783'

21:51:32 stderr: 'looks like "https://helm.cilium.io" is not a valid chart repository or cannot be reached: Get "https://helm.cilium.io/index.yaml": dial tcp: lookup helm.cilium.io on 10.1.0.52:53: server misbehaving'

21:51:32 stderr_lines:

21:51:32 stdout: ''

21:51:32 stdout_lines:

Anything else we need to know

No response

Contributor guide

Tech stack
kubernetesdockershell
Domain
devopsinfrastructurecloud
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
AnsibleHelmKubespray
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
Investigate the Cilium role in Kubespray, specifically the task 'network plugin/cilium : Cilium | Install'. The issue indicates that the task uses `cilium install` command which tries to fetch the Helm chart from the internet. In offline mode, the chart should be pre downloaded and served from a local HTTP repository. Review how other network plugins handle offline mode, and ensure the cilium install command uses the local chart URL from files repo (e.g., `{{ files repo }}/cilium {{ cilium version }}.tgz`). Check the conditional for offline mode and modify the task accordingly.