Cilium installation fails in offline mode

What happened?

The cilium installation via kubespray, when offline mode is selected, fails as it tries to download the helm chart from internet.

What did you expect to happen?

The cilium installation should not pull the chart from internet in offline mode. The expected behaviour is: download the chart in the download files step use the chart from the local http repository to install cilium

How can we reproduce it (as minimally and precisely as possible)?

Deploy a kubernetes cluster in offline mode using cilium.

OS

RHEL 9

Version of Ansible

ansible [core 2.16.14] config file = /kubeprov/ansible.cfg configured module search path = ['/kubeprov/library'] ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.10.12 (main, Feb 4 2025, 14:57:36) [GCC 11.4.0] (/usr/bin/python3) jinja version = 3.1.6 libyaml = True

Version of Python

python version = 3.10.12

Version of Kubespray (commit)

2.28.0

Network plugin used

cilium

Full inventory with variables

"hostvars[inventory_hostname]": {
    "allow_unsupported_distribution_setup": false,
    "ansible_check_mode": false,
    "ansible_config_file": "/etc/ansible/ansible.cfg",
    "ansible_diff_mode": false,
    "ansible_facts": {},
    "ansible_forks": 5,
    "ansible_inventory_sources": [
        "/etc/kubespray/inventory/cluster1"
    ],
    "ansible_playbook_python": "/usr/bin/python3",
    "ansible_verbosity": 0,
    "ansible_version": {
        "full": "2.14.17",
        "major": 2,
        "minor": 14,
        "revision": 17,
        "string": "2.14.17"
    },
    "bin_dir": "/usr/bin",
    "calico_crds_download_url": "{{ files_repo }}/{{ calico_version }}.tar.gz",
    "calicoctl_alternate_download_url": "{{ files_repo }}/calicoctl-linux-{{ image_arch }}",
    "calicoctl_download_url": "{{ files_repo }}/calicoctl-linux-{{ image_arch }}",
    "cert_manager_ca_cert_path": "",
    "cert_manager_ca_key_path": "",
    "cilium_helm_chart": "{{ files_repo }}/cilium-{{ cilium_version }}.tgz",
    "ciliumcli_download_url": "{{ files_repo }}/cilium-linux-{{ image_arch }}.tar.gz",
    "cluster_external_name": "cluster1.external",
    "cni_download_url": "{{ files_repo }}/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz",
    "containerd_download_url": "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz",
    "containerd_registries_mirrors": [
        {
            "mirrors": [
                {
                    "capabilities": [
                        "pull",
                        "resolve"
                    ],
                    "host": "http://10.40.0.57:5000",
                    "skip_verify": false
                }
            ],
            "prefix": "10.40.0.57:5000"
        }
    ],
    "cri_dockerd_download_url": "{{ files_repo }}/cri-dockerd-{{ cri_dockerd_version }}.{{ image_arch }}.tgz",
    "crictl_download_url": "{{ files_repo }}/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz",
    "crio_download_url": "{{ files_repo }}/cri-o.{{ image_arch }}.v{{ crio_version }}.tar.gz",
    "crun_download_url": "{{ files_repo }}/crun-{{ crun_version }}-linux-{{ image_arch }}",
    "docker_image_repo": "10.40.0.57:5000",
    "docker_io_login": "nimbix",
    "docker_io_name": "registry-1.docker.io",
    "docker_io_password": "nimbix245!",
    "etcd_data_dir": "/var/lib/etcd",
    "etcd_deployment_type": "kubeadm",
    "etcd_download_url": "{{ files_repo }}/etcd-v{{ etcd_version }}-linux-amd64.tar.gz",
    "files_repo": "http://10.40.0.57/kubespray/repository",
    "flannel_cni_download_url": "{{ files_repo }}/flannel-{{ image_arch }}",
    "gcr_image_repo": "10.40.0.57:5000",
    "github_image_repo": "10.40.0.57:5000",
    "group_names": [
        "ungrouped"
    ],
    "groups": {
        "all": [
            "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc"
        ],
        "ungrouped": [
            "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc"
        ]
    },
    "gvisor_containerd_shim_runsc_download_url": "{{ files_repo }}/{{ ansible_architecture }}/containerd-shim-runsc-v1",
    "gvisor_runsc_download_url": "{{ files_repo }}/{{ ansible_architecture }}/runsc",
    "helm_download_url": "{{ files_repo }}/helm-v{{ helm_version }}-linux-{{ image_arch }}.tar.gz",
    "http_proxy": "",
    "https_proxy": "",
    "ingress_custom_nginx_class": "nginx",
    "ingress_custom_nginx_enabled": true,
    "ingress_custom_nginx_namespace": "kube-system",
    "ingress_nginx_url": "{{ files_repo }}/ingress-nginx-{{ ingress_nginx_version }}.tgz",
    "inventory_dir": "/etc/kubespray/inventory/cluster1/credentials",
    "inventory_file": "/etc/kubespray/inventory/cluster1/credentials/kubeadm_certificate_key.creds",
    "inventory_hostname": "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc",
    "inventory_hostname_short": "ac8bc2d8CC161d16d9bfE158EBA4ab6C65b1b4Ed7e4BEb1C9Da96E3fBBE75DCc",
    "kata_containers_download_url": "{{ files_repo }}/kata-static-{{ kata_containers_version }}-{{ ansible_architecture }}.tar.xz",
    "kube_image_repo": "10.40.0.57:5000",
    "kube_webhook_token_auth": false,
    "kube_webhook_token_auth_url_skip_tls_verify": false,
    "kubeadm_download_url": "http://10.40.0.57/kubespray/repository/kubeadm",
    "kubectl_download_url": "http://10.40.0.57/kubespray/repository/kubectl",
    "kubelet_download_url": "http://10.40.0.57/kubespray/repository/kubelet",
    "loadbalancer_apiserver_healthcheck_port": 8081,
    "loadbalancer_apiserver_port": 6443,
    "loadbalancer_apiserver_type": "haproxy",
    "nerdctl_download_url": "{{ files_repo }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz",
    "nfs_provisioner_accessmodes": "ReadWriteOnce",
    "nfs_provisioner_enabled": true,
    "nfs_provisioner_namespace": "kube-system",
    "nfs_provisioner_path": "/srv/nfs",
    "nfs_provisioner_server": "10.40.0.1",
    "nfs_provisioner_url": "{{ files_repo }}/nfs-subdir-external-provisioner-{{ nfs_provisioner_version }}.tgz",
    "no_proxy_exclude_workers": false,
    "ntp_enabled": false,
    "ntp_manage_config": false,
    "ntp_servers": [
        "0.pool.ntp.org iburst",
        "1.pool.ntp.org iburst",
        "2.pool.ntp.org iburst",
        "3.pool.ntp.org iburst"
    ],
    "omit": "__omit_place_holder__2d1b4caf966c5e6a35aceb938c02ada64ed4bcc3",
    "playbook_dir": "/etc/kubespray",
    "quay_image_repo": "10.40.0.57:5000",
    "registry_host": "10.40.0.57:5000",
    "rhel_enable_repos": false,
    "runc_download_url": "{{ files_repo }}/runc.{{ image_arch }}",
    "skip_http_proxy_on_os_packages": true,
    "skopeo_download_url": "{{ files_repo }}/skopeo-linux-{{ image_arch }}",
    "unsafe_show_logs": false
}

}

Command used to invoke ansible

ansible-playbook cluster.yml -i inventory/cluster1

Output of ansible run

21:51:32 TASK [network_plugin/cilium : Cilium | Install] ********************************

21:51:32 fatal: [bach1]: FAILED! => changed=true

21:51:32 cmd:

21:51:32 - /usr/bin/cilium

21:51:32 - install

21:51:32 - --version

21:51:32 - 1.17.3

21:51:32 - -f

21:51:32 - /etc/kubernetes/cilium-values.yaml

21:51:32 - --set

21:51:32 - image.useDigest=false

21:51:32 - --set

21:51:32 - operator.image.useDigest=false

21:51:32 - --set

21:51:32 - envoy.enabled=false

21:51:32 - --set

21:51:32 - l7Proxy=false

21:51:32 delta: '0:00:00.037439'

21:51:32 end: '2025-09-15 21:51:31.631222'

21:51:32 msg: non-zero return code

21:51:32 rc: 1

21:51:32 start: '2025-09-15 21:51:31.593783'

21:51:32 stderr: 'looks like "https://helm.cilium.io" is not a valid chart repository or cannot be reached: Get "https://helm.cilium.io/index.yaml": dial tcp: lookup helm.cilium.io on 10.1.0.52:53: server misbehaving'

21:51:32 stderr_lines:

21:51:32 stdout: ''

21:51:32 stdout_lines:

Anything else we need to know

No response