Skip to content

Add support for custom CA certs using ADDITIONAL_CA_CERT_BUNDLE

Problem to Solve

It is very common to use custom SSL certificates. Self-managed users can use the release_cli image only if they have public certificate, but they can't use the image with their own certificate.

Additional info:

SAST, DAST and other scanners support ADDITIONAL_CA_CERT_BUNDLE as an environment variable where users can provide their own Certificate Authority, most commonly used with self-signed SSL certificates. This certificate is used in HTTPS connections that allow a client to verify that the server they are talking to is legitimate. In case of the release-cliit will read the ADDITIONAL_CA_CERT_BUNDLE as environment variable as well, and will allow self-managed customers use the release yaml node (or the standalone release-cli ) in their private networks that use custom SSL certificates, not signed by public CA.

Summary

Using custom CA's is challenging - the current best option is to use a before_script as described in this workaround

It would be useful if GitLab Release supported the ADDITIONAL_CA_CERT_BUNDLE variable as defined for:

Possible fixes

The Merge Request for those three may provide a useful model.

/cc @jaime @ogolowinski

Edited by Itzik Gan Baruch