Improve documentation for custom python registries

Problem to solve

Currently, License Compliance with a custom registry requires 2 things:

• having a pip.conf file:

  [global]
  index-url = https://gitlab-airgap-pypi.us-west1-b.c.group-secure-a89fe7.internal/simple
  trusted-host = gitlab-airgap-pypi.us-west1-b.c.group-secure-a89fe7.internal

• adding a before_script to copy that file in the right location:

  before_script:
    - mkdir -p ~/.config/pip/
    - cp pip.conf ~/.config/pip/pip.conf

• configuring the `PIP_INDEX_URL` environment variable

PIP_INDEX_URL and pip.conf content both declare the custom registry URL.

Update

At one point it was required to provide both a PIP_INDEX_URL and a pip.conf file. This was necessary because we didn't support the ADDITIONAL_CA_CERT_BUNDLE environment variable. So the only way to install packages from a custom source was to disable the TLS verification. To disable the TLS verification we had to ask codeowners to include a pip.conf file with a setting to disable TLS verification.

Today, we don't require TLS verification to be disabled because we support the ADDTIONAL_CA_CERT_BUNDLE environment variable.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)

Further details

Proposal

We might find a way to have this information in only one place.

See #214398 (comment 373537559)

Implementation plan

• Update documentation to indicate that disable TLS verification is dangerous and that we recommend providing a certificate chain instead. current docs

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Implementation Plan

• Update documentation to indicate that disable TLS verification is dangerous and that we recommend providing a certificate chain instead. current docs