diff --git a/chart/templates/gitlab/secret-ca.yaml b/chart/templates/gitlab/secret-ca.yaml
index 8792fa096cf450077d71838fe2d896ec4809ec4d..beb2ccc2cd35dc4fa0ea614f980a056f380a1df3 100644
--- a/chart/templates/gitlab/secret-ca.yaml
+++ b/chart/templates/gitlab/secret-ca.yaml
@@ -7,4 +7,4 @@ metadata:
 type: Opaque
 data:
   ca.pem: {{ .Values.sso.certificate_authority | b64enc }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/chart/templates/gitlab/values.yaml b/chart/templates/gitlab/values.yaml
index 80a402ca43fc0eb02c92bc75c26ec58fafd2a261..374138a1976e76d44a4338a41ae2bed47a59ea98 100644
--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.addons.gitlab.enabled }}
-{{- include "values-secret" (dict "root" $ "package" .Values.addons.gitlab "name" "gitlab" "defaults" (include "bigbang.defaults.gitlab" .)) }}
+{{- include "values-secret" (dict "root" $ "package" (dict "values" (fromYaml (include "bigbang.overlays.gitlab" .))) "name" "gitlab" "defaults" (include "bigbang.defaults.gitlab" .)) }}
 {{- end }}
 {{- if and (ne .Values.addons.gitlab.objectStorage.iamProfile "") (ne .Values.addons.gitlab.objectStorage.accessKey "") }}{{- fail "Must choose to use an IAM profile OR an AWS accessKey/accessSecret at .Values.addons.gitlab.objectStorage" }}{{- end }}
 {{- define "bigbang.defaults.gitlab" -}}
@@ -156,6 +156,12 @@ minio:
 {{- end }}
 
 global:
+  {{- if and .Values.addons.gitlab.sso.enabled .Values.sso.certificate_authority}}
+  certificates:
+    customCAs:
+      - secret: tls-ca-sso
+  {{end}}
+
   # added to help with Gitlab sub-chart configuration
   image:
     pullPolicy: {{ .Values.imagePullPolicy }}
@@ -335,5 +341,30 @@ global:
 {{- if ne .Values.addons.gitlab.objectStorage.iamProfile "" }}
 use_iam_profile: true
 {{- end }}
-
 {{- end -}}
+
+
+
+{{- /* This function merges defaults in lists from above into overlays */ -}}
+{{- /* The end user will not have to replicate exclusions/repos from above when providing an overlay */ -}}
+{{- /* There is a hidden flag `skipOverlayMerge` that can be added to any certificates to ignore the defaults */ -}}
+{{- define "bigbang.overlays.gitlab" }}
+
+  {{- $defaults := fromYaml (include "bigbang.defaults.gitlab" .) }}
+
+  {{- $overlays := dig "values" dict .Values.addons.gitlab }}
+  {{- range $certificates, $default := $defaults.global }}
+    {{- $overlay := (dig "global" $certificates dict $overlays) }}
+    # Only continue if an overlay matches a default constriant and hidden "skipOverlayMerge" is not set
+    {{- if and $overlay (not $overlay.skipOverlayMerge) }}
+
+      # Add any default excludedNamespaces to overlay
+      {{- if and (dig "customCAs"  list $default) (dig "customCAs"  list $overlay) }}
+
+         {{ $_ := set $overlay "customCAs" (concat $default.customCAs $overlay.customCAs) }}
+
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{ toYaml $overlays }}
+{{- end }}