Skip to content

Commit 3ed124f

Browse files
babychmbabychm
authored
Merge pull request #1 from Perun-Engineering/fix/gitlab-registry-configuration
fix: GitLab registry configuration
2 parents 06c597d + 714e845 commit 3ed124f

6 files changed

Lines changed: 54 additions & 2 deletions

File tree

.github/workflows/release.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ jobs:
3636
uses: cycjimmy/semantic-release-action@v4
3737
with:
3838
semantic_version: 23.0.2
39+
branches: main
3940
extra_plugins: |
4041
@semantic-release/changelog@6.0.3
4142
@semantic-release/git@10.0.1

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
2828
|------|---------|
2929
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
3030
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
31-
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.36.0 |
31+
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.37.1 |
3232

3333
## Modules
3434

@@ -45,6 +45,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
4545
| [kubernetes_namespace.gitlab](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
4646
| [kubernetes_secret.gitlab_omniauth_providers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
4747
| [kubernetes_secret.gitlab_rails_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
48+
| [kubernetes_secret.gitlab_registry_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
4849
| [kubernetes_secret.ldap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
4950
| [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
5051
| [kubernetes_secret.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
@@ -57,6 +58,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
5758

5859
| Name | Description | Type | Default | Required |
5960
|------|-------------|------|---------|:--------:|
61+
| <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Prefix used for S3 buckets | `string` | `""` | no |
6062
| <a name="input_buckets_lifecycles"></a> [buckets\_lifecycles](#input\_buckets\_lifecycles) | Lifecycle rules for buckets | `map(string)` | `{}` | no |
6163
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name where you want to deploy the release | `string` | n/a | yes |
6264
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | Password to access PostgreSQL database | `string` | n/a | yes |

examples/main.tf

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ args:
1414
]
1515
}
1616
EOF
17+
bucket_prefix = "gitlab-mycompany"
1718
}
1819

1920
module "gitlab" {
@@ -31,6 +32,7 @@ module "gitlab" {
3132
"gitlab-omniauth-saml" = local.saml_google_provider
3233
}
3334

35+
bucket_prefix = local.bucket_prefix
3436
buckets_lifecycles = {
3537
artifacts = <<EOF
3638
{
@@ -71,7 +73,7 @@ EOF
7173
redis_host = "master.gitlab.xxxxxx.euc1.cache.amazonaws.com"
7274
redis_port = "6379"
7375
release_name = "gitlab"
74-
bucket_prefix = "gitlab-mycompany"
76+
bucket_prefix = local.bucket_prefix
7577
domain = "example.com"
7678
smtp_address = "smtp.gmail.com"
7779
})

examples/values.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -192,6 +192,9 @@ gitlab:
192192
registry:
193193
enabled: true
194194
bucket: ${bucket_prefix}-registry
195+
storage:
196+
secret: ${release_name}-registry-storage
197+
key: config
195198
redis:
196199
cache:
197200
password:

main.tf

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,22 @@ resource "kubernetes_secret" "ldap" {
105105
type = "Opaque"
106106
}
107107

108+
resource "kubernetes_secret" "gitlab_registry_storage" {
109+
metadata {
110+
name = "${var.release_name}-registry-storage"
111+
namespace = local.release_namespace
112+
}
113+
114+
data = {
115+
config = <<EOF
116+
s3:
117+
bucket: ${var.bucket_prefix}-registry
118+
region: ${data.aws_region.current.name}
119+
v4auth: true
120+
EOF
121+
}
122+
}
123+
108124
data "aws_iam_policy_document" "s3_bucket_policy" {
109125
for_each = local.buckets_list
110126

@@ -162,6 +178,28 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
162178
actions = ["s3:GetObjectAcl"]
163179
resources = ["arn:aws:s3:::${each.value}/*"]
164180
}
181+
182+
statement {
183+
sid = "AllowListBucketMultipartUploads"
184+
effect = "Allow"
185+
principals {
186+
type = "AWS"
187+
identifiers = [module.gitlab_role.iam_role_arn]
188+
}
189+
actions = ["s3:ListBucketMultipartUploads"]
190+
resources = ["arn:aws:s3:::${each.value}"]
191+
}
192+
193+
statement {
194+
sid = "AllowListMultipartUploadParts"
195+
effect = "Allow"
196+
principals {
197+
type = "AWS"
198+
identifiers = [module.gitlab_role.iam_role_arn]
199+
}
200+
actions = ["s3:ListMultipartUploadParts"]
201+
resources = ["arn:aws:s3:::${each.value}/*"]
202+
}
165203
}
166204

167205
module "s3_bucket" {

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,12 @@ variable "namespace_labels" {
7676
default = {}
7777
}
7878

79+
variable "bucket_prefix" {
80+
description = "Prefix used for S3 buckets"
81+
type = string
82+
default = ""
83+
}
84+
7985
variable "buckets_lifecycles" {
8086
description = "Lifecycle rules for buckets"
8187
type = map(string)

0 commit comments

Comments
 (0)