Today I struggled to try to connect to a private registry from within a gitlab-runner running docker-in-docker (or dind). The CI stopped with the error x509: certificate signed by unknown authority. I finally figured it out with some inspiration from this issue in the gitlab-runner repo.
Step 1: CA as an Environment Variable
The easiest way to get your CA certificate into your runner is by using environment variables. To do so we must copy the content of our certificate into a runner variable in GitLab under Project -> Settings -> CI/CD -> variables.
In the following example I created an environment variable called CA_CERTIFICATE:
Step 2: Configure .gitlab-ci.yml
For the sake of simplicity we will use docker-in-docker with TLS disabled:
Next, we have to pass our certificate as an environment variable to the dind service container. Important: this will not happen automatically!
Finally, we can override the container command and properly install our CA certificate before starting the docker service:
And we're done!
A full example of the .gitlab-ci.yml looks like this: