Support using self-signed certificates with the GitLab Container Registry
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Support using self-signed and private CA certificates with the GitLab Container Registry, including documented configuration steps for GitLab components, runners, and common client environments.
Problem to solve
Some customers operate in restricted or highly regulated environments where self-signed/private CA certificates are required for internal services. The GitLab Container Registry does not currently support this configuration, leaving customers to implement fragile and sometimes insecure workarounds (disabling verification, custom hacks to trust stores, etc). This blocks or severely complicates adoption of the GitLab Container Registry in these environments.
Intended users
- DevOps engineers and platform teams administering GitLab and its Container Registry
- Application developers and CI/CD users who build and pull images from the GitLab Container Registry
User experience goal
Users should be able to configure the GitLab Container Registry to use a self-signed or internal CA certificate and have all relevant GitLab components and clients (GitLab Runner, CI jobs, Kubernetes clusters) trust and use that registry without custom, unsupported hacks. The configuration should be clearly documented, repeatable, and supportable.
Proposal
Add official support for using self-signed and internal CA certificates with the GitLab Container Registry.
Further details
Reference for current limitation:
https://docs.gitlab.com/administration/packages/container_registry_troubleshooting/#using-self-signed-certificates-with-container-registry