From 1da8d28e67afaeefaac29f0325ea89233991eaaa Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 23 May 2025 12:22:55 +0300
Subject: [PATCH 1/5] fix: Release workflow

---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d70fe2f..14ad9b7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,6 +36,7 @@ jobs:
         uses: cycjimmy/semantic-release-action@v4
         with:
           semantic_version: 23.0.2
+          branches: main
           extra_plugins: |
             @semantic-release/changelog@6.0.3
             @semantic-release/git@10.0.1

From e7c9088e148f74d24094ad2fd26ec49a39225e76 Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 23 May 2025 12:36:31 +0300
Subject: [PATCH 2/5] fix: S3 access role permissions

---
 README.md |  2 +-
 main.tf   | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7673597..f1ab486 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.36.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
 
 ## Modules
 
diff --git a/main.tf b/main.tf
index a11829f..f7f5ea2 100644
--- a/main.tf
+++ b/main.tf
@@ -162,6 +162,28 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     actions   = ["s3:GetObjectAcl"]
     resources = ["arn:aws:s3:::${each.value}/*"]
   }
+
+  statement {
+    sid    = "AllowListBucketMultipartUploads"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.gitlab_role.iam_role_arn]
+    }
+    actions   = ["s3:ListBucketMultipartUploads"]
+    resources = ["arn:aws:s3:::${each.value}"]
+  }
+
+  statement {
+    sid    = "AllowListMultipartUploadParts"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.gitlab_role.iam_role_arn]
+    }
+    actions   = ["s3:ListMultipartUploadParts"]
+    resources = ["arn:aws:s3:::${each.value}/*"]
+  }
 }
 
 module "s3_bucket" {

From 22eafe5728d84e529725dd00c9030d7d1c9602ca Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 23 May 2025 13:17:28 +0300
Subject: [PATCH 3/5] fix: Add secret creation for registry strorage config

---
 README.md    |  2 ++
 main.tf      | 16 ++++++++++++++++
 variables.tf |  6 ++++++
 3 files changed, 24 insertions(+)

diff --git a/README.md b/README.md
index f1ab486..2d8c53e 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | [kubernetes_namespace.gitlab](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_secret.gitlab_omniauth_providers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.gitlab_rails_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.gitlab_registry_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.ldap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_secret.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
@@ -57,6 +58,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Prefix used for S3 buckets | `string` | `""` | no |
 | <a name="input_buckets_lifecycles"></a> [buckets\_lifecycles](#input\_buckets\_lifecycles) | Lifecycle rules for buckets | `map(string)` | `{}` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name where you want to deploy the release | `string` | n/a | yes |
 | <a name="input_database_password"></a> [database\_password](#input\_database\_password) | Password to access PostgreSQL database | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index f7f5ea2..a034038 100644
--- a/main.tf
+++ b/main.tf
@@ -105,6 +105,22 @@ resource "kubernetes_secret" "ldap" {
   type = "Opaque"
 }
 
+resource "kubernetes_secret" "gitlab_registry_storage" {
+  metadata {
+    name      = "${var.release_name}-registry-storage"
+    namespace = local.release_namespace
+  }
+
+  data = {
+    config = <<EOF
+s3:
+  bucket: ${var.bucket_prefix}-registry
+  region: ${data.aws_region.current.name}
+  v4auth: true
+EOF
+  }
+}
+
 data "aws_iam_policy_document" "s3_bucket_policy" {
   for_each = local.buckets_list
 
diff --git a/variables.tf b/variables.tf
index 61ccd00..bb0767c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -76,6 +76,12 @@ variable "namespace_labels" {
   default     = {}
 }
 
+variable "bucket_prefix" {
+  description = "Prefix used for S3 buckets"
+  type        = string
+  default     = ""
+}
+
 variable "buckets_lifecycles" {
   description = "Lifecycle rules for buckets"
   type        = map(string)

From 8d7fb09054dcc2cef016be3cdc7ca8f89873d8b5 Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 23 May 2025 13:21:45 +0300
Subject: [PATCH 4/5] chore: Provider version

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2d8c53e..6cd4808 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.37.1 |
 
 ## Modules
 

From 714e845810ff492961df2b5d018907f88ba429ae Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 23 May 2025 13:25:17 +0300
Subject: [PATCH 5/5] chore: Examples update

---
 examples/main.tf     | 4 +++-
 examples/values.yaml | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/examples/main.tf b/examples/main.tf
index b2fd224..5b0120d 100644
--- a/examples/main.tf
+++ b/examples/main.tf
@@ -14,6 +14,7 @@ args:
     ]
   }
 EOF
+  bucket_prefix        = "gitlab-mycompany"
 }
 
 module "gitlab" {
@@ -31,6 +32,7 @@ module "gitlab" {
     "gitlab-omniauth-saml" = local.saml_google_provider
   }
 
+  bucket_prefix = local.bucket_prefix
   buckets_lifecycles = {
     artifacts = <<EOF
 {
@@ -71,7 +73,7 @@ EOF
       redis_host        = "master.gitlab.xxxxxx.euc1.cache.amazonaws.com"
       redis_port        = "6379"
       release_name      = "gitlab"
-      bucket_prefix     = "gitlab-mycompany"
+      bucket_prefix     = local.bucket_prefix
       domain            = "example.com"
       smtp_address      = "smtp.gmail.com"
     })
diff --git a/examples/values.yaml b/examples/values.yaml
index 76673a0..3d45271 100644
--- a/examples/values.yaml
+++ b/examples/values.yaml
@@ -192,6 +192,9 @@ gitlab:
 registry:
   enabled: true
   bucket: ${bucket_prefix}-registry
+  storage:
+    secret: ${release_name}-registry-storage
+    key: config
   redis:
     cache:
       password: